diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
new file mode 100644
index 0000000..bf2078a
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
@@ -0,0 +1,103 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1544201494 25200
+# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
+# Parent  ef83f35c9cb090a8b4fd36942f1e47e65c285dce
+The fix for bug #843 was incomplete and caused pam_end() to be called early.
+sudo_pam_approval() must not set the global pam status to an error
+value if it returns AUTH_SUCCESS.  Otherwise, sudo_pam_cleanup()
+will call pam_end() before sudo_pam_begin_session().  This resulted
+in a NULL PAM handle being used in sudo_pam_begin_session().
+
+diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
+--- a/plugins/sudoers/auth/pam.c	Wed Dec 05 10:43:14 2018 -0700
++++ b/plugins/sudoers/auth/pam.c	Fri Dec 07 09:51:34 2018 -0700
+@@ -210,59 +210,68 @@
+ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+     const char *s;
++    int rc, status = AUTH_SUCCESS;
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+ 
+-    *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
+-    switch (*pam_status) {
++    rc = pam_acct_mgmt(pamh, PAM_SILENT);
++    switch (rc) {
+ 	case PAM_SUCCESS:
+-	    debug_return_int(AUTH_SUCCESS);
++	    break;
+ 	case PAM_AUTH_ERR:
+ 	    log_warningx(0, N_("account validation failure, "
+ 		"is your account locked?"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_NEW_AUTHTOK_REQD:
+ 	    /* Ignore if user is exempt from password restrictions. */
+ 	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
++		break;
+ 	    /* New password required, try to change it. */
+ 	    log_warningx(0, N_("Account or password is "
+ 		"expired, reset your password and try again"));
+-	    *pam_status = pam_chauthtok(pamh,
+-		PAM_CHANGE_EXPIRED_AUTHTOK);
+-	    if (*pam_status == PAM_SUCCESS)
+-		debug_return_int(AUTH_SUCCESS);
+-	    if ((s = pam_strerror(pamh, *pam_status)) == NULL)
++	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++	    if (rc == PAM_SUCCESS)
++		break;
++	    if ((s = pam_strerror(pamh, rc)) == NULL)
+ 		s = "unknown error";
+ 	    log_warningx(0,
+ 		N_("unable to change expired password: %s"), s);
+-	    debug_return_int(AUTH_FAILURE);
++	    status = AUTH_FAILURE;
++	    break;
+ 	case PAM_AUTHTOK_EXPIRED:
+ 	    /* Ignore if user is exempt from password restrictions. */
+ 	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
++		break;
+ 	    /* Password expired, cannot be updated by user. */
+ 	    log_warningx(0,
+ 		N_("Password expired, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_ACCT_EXPIRED:
+ 	    log_warningx(0,
+ 		N_("Account expired or PAM config lacks an \"account\" "
+ 		"section for sudo, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_AUTHINFO_UNAVAIL:
+ 	case PAM_MAXTRIES:
+ 	case PAM_PERM_DENIED:
+-	    s = pam_strerror(pamh, *pam_status);
++	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FAILURE);
++	    status = AUTH_FAILURE;
++	    break;
+ 	default:
+-	    s = pam_strerror(pamh, *pam_status);
++	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+     }
++    /* Ignore errors if user is exempt from password restrictions. */
++    *pam_status = exempt ? PAM_SUCCESS : rc;
++    debug_return_int(status);
+ }
+ 
+ int
+
diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch
new file mode 100644
index 0000000..2be1c3c
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-who-am-i.patch
@@ -0,0 +1,56 @@
+commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
+Author: Todd C. Miller <Todd.Miller@sudo.ws>
+Date:   Wed Jan 2 07:39:33 2019 -0700
+
+    Fix setting of utmp entry when running command in a pty.
+    Regression introduced in sudo 1.8.22.
+
+diff --git a/src/exec_pty.c b/src/exec_pty.c
+index cbcccca3..68312a98 100644
+--- a/src/exec_pty.c
++++ b/src/exec_pty.c
+@@ -140,7 +140,7 @@ pty_cleanup(void)
+  * and slavename globals.
+  */
+ static bool
+-pty_setup(uid_t uid, const char *tty)
++pty_setup(struct command_details *details, const char *tty)
+ {
+     debug_decl(pty_setup, SUDO_DEBUG_EXEC);
+ 
+@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
+     }
+ 
+     if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
+-	slavename, sizeof(slavename), uid))
++	slavename, sizeof(slavename), details->euid))
+ 	sudo_fatal(U_("unable to allocate pty"));
+ 
+     /* Add entry to utmp/utmpx? */
+-    if (utmp_user != NULL)
++    if (ISSET(details->flags, CD_SET_UTMP)) {
++	utmp_user =
++	    details->utmp_user ? details->utmp_user : user_details.username;
+ 	utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
++    }
+ 
+     sudo_debug_printf(SUDO_DEBUG_INFO,
+ 	"%s: %s fd %d, pty master fd %d, pty slave fd %d",
+@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
+     /*
+      * Allocate a pty.
+      */
+-    if (pty_setup(details->euid, user_details.tty)) {
+-	if (ISSET(details->flags, CD_SET_UTMP))
+-	    utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
+-    } else if (TAILQ_EMPTY(&io_plugins)) {
+-	/* Not logging I/O and didn't allocate a pty. */
+-	debug_return_bool(false);
++    if (!pty_setup(details, user_details.tty)) {
++	if (TAILQ_EMPTY(&io_plugins)) {
++	    /* Not logging I/O and didn't allocate a pty. */
++	    debug_return_bool(false);
++	}
+     }
+ 
+     /*
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 2dd0195..3c32c1b 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.23
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -50,7 +50,13 @@ Patch7: sudo-1.8.23-nowaitopt.patch
 #  bz in RHEL. The feature itself was delivered via the rebase to 1.8.23.
 Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
 # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
-Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch 
+Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
+
+# 1672876 - Backporting sudo bug with expired passwords
+Patch10: sudo-1.8.23-pam-expired-passwords.patch
+# 1665285 - Problem with sudo-1.8.23 and 'who am i'
+Patch11: sudo-1.8.23-who-am-i.patch
+
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -85,6 +91,9 @@ plugins that use %{name}.
 %patch8 -p1 -b .pam-mgmt-ignore-errors
 %patch9 -p1 -b .defaults-double-quote-fix
 
+%patch10 -p1 -b .pam-expired
+%patch11 -p1 -b .who-am-i
+
 %build
 autoreconf -I m4 -fv --install
 
@@ -222,6 +231,12 @@ rm -rf %{buildroot}
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+
+* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
+- RHEL-7.7 erratum
+  Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords
+  Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i'
+
 * Mon Sep 24 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-3
 - RHEL-7.6 erratum
   Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version
@@ -318,11 +333,11 @@ rm -rf %{buildroot}
 
 * Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-2
 - RHEL 7.4 erratum
-- Fixes coverity scan issues created by our patches: 
+- Fixes coverity scan issues created by our patches:
   - fixed resource leaks and a compiler warning in digest backport patch
   - removed needless code from cmnd_no_wait patch causing clang warning
   - format of the last changelog message causes problems to rhpkg push,
-    so don't use that as a commit message 
+    so don't use that as a commit message
   Resolves: rhbz#1360687
 
 * Wed Mar 01 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
@@ -331,7 +346,7 @@ rm -rf %{buildroot}
   - Resolves: rhbz#1123526 - performance improvement
   - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags
   - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale
-  - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command 
+  - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command
     was runnable even if denied by sudoers when using LDAP or SSSD backend.
   - Resolves: rhbz#1387303 - add ignore_iolog_errors option
   - Resolves: rhbz#1389360 - wrong log file group ownership
@@ -538,7 +553,7 @@ rm -rf %{buildroot}
 * Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
 - update to 1.8.5
 - fixed CVE-2012-2337
-- temporarily disabled SSSD support 
+- temporarily disabled SSSD support
 
 * Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
 - fixed problems with undefined symbols (rhbz#798517)
@@ -557,7 +572,7 @@ rm -rf %{buildroot}
 
 * Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
 - update to 1.8.3p1
-- disable output word wrapping if the output is piped 
+- disable output word wrapping if the output is piped
 
 * Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
 - Remove execute bit from sample script in docs so we don't pull in perl
@@ -692,7 +707,7 @@ rm -rf %{buildroot}
 - sparc64 needs to be in the -fPIE list with s390
 
 * Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
-- fix complains about audit_log_user_command(): Connection 
+- fix complains about audit_log_user_command(): Connection
   refused (#401201)
 
 * Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
@@ -794,7 +809,7 @@ rm -rf %{buildroot}
 - rebuild
 
 * Mon Oct  4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
-- added missing BuildRequires for libselinux-devel (#132883) 
+- added missing BuildRequires for libselinux-devel (#132883)
 
 * Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
 - Fix missing param error in sesh
@@ -821,7 +836,7 @@ rm -rf %{buildroot}
   exec of child with SELinux patch
 
 * Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
-- change to default to sysadm_r 
+- change to default to sysadm_r
 - Fix tty handling
 
 * Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
@@ -829,7 +844,7 @@ rm -rf %{buildroot}
 - replace /bin/bash -c with /bin/sesh
 
 * Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
-- Hard code to use "/bin/bash -c" for selinux 
+- Hard code to use "/bin/bash -c" for selinux
 
 * Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
 - Eliminate closing and reopening of terminals, to match su.
@@ -854,7 +869,7 @@ rm -rf %{buildroot}
 - Fix is_selinux_enabled call
 
 * Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
-- Clean up patch on failure 
+- Clean up patch on failure
 
 * Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
 - Remove sudo.te for now.
@@ -977,7 +992,7 @@ rm -rf %{buildroot}
 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
 
 * Thu Oct 08 1998 Michael Maher <mike@redhat.com>
-- built package for 5.2 
+- built package for 5.2
 
 * Mon May 18 1998 Michael Maher <mike@redhat.com>
 - updated SPEC file
@@ -989,10 +1004,9 @@ rm -rf %{buildroot}
 - built for glibc, no problems
 
 * Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
-- Fixed for 4.2 PowerTools 
+- Fixed for 4.2 PowerTools
 - Still need to be pamified
 - Still need to move stmp file to /var/log
 
 * Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
 - First version for PowerCD.
-