diff --git a/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch
new file mode 100644
index 0000000..8ad3955
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch
@@ -0,0 +1,35 @@
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 2c685cd..7751a67 100644
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -106,7 +106,15 @@ do_syslog(int pri, char *msg)
+ * Log the full line, breaking into multiple syslog(3) calls if necessary
+ */
+ fmt = _("%8s : %s");
+- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
++
++
++ if (!sudo_user_name) {
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5);
++ }
++ else {
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
++ }
++
+ for (p = msg; *p != '\0'; ) {
+ len = strlen(p);
+ if (len > maxlen) {
+@@ -122,7 +130,12 @@ do_syslog(int pri, char *msg)
+ save = *tmp;
+ *tmp = '\0';
+
+- mysyslog(pri, fmt, sudo_user_name, p);
++ if(!sudo_user_name) {
++ mysyslog(pri, fmt, "NaN", p);
++ }
++ else{
++ mysyslog(pri, fmt, sudo_user_name, p);
++ }
+
+ *tmp = save; /* restore saved character */
+
diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
deleted file mode 100644
index bf2078a..0000000
--- a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1544201494 25200
-# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
-# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
-The fix for bug #843 was incomplete and caused pam_end() to be called early.
-sudo_pam_approval() must not set the global pam status to an error
-value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
-will call pam_end() before sudo_pam_begin_session(). This resulted
-in a NULL PAM handle being used in sudo_pam_begin_session().
-
-diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
---- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
-+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
-@@ -210,59 +210,68 @@
- sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
- {
- const char *s;
-+ int rc, status = AUTH_SUCCESS;
- int *pam_status = (int *) auth->data;
- debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
-
-- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
-- switch (*pam_status) {
-+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
-+ switch (rc) {
- case PAM_SUCCESS:
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- case PAM_AUTH_ERR:
- log_warningx(0, N_("account validation failure, "
- "is your account locked?"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_NEW_AUTHTOK_REQD:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt)
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- /* New password required, try to change it. */
- log_warningx(0, N_("Account or password is "
- "expired, reset your password and try again"));
-- *pam_status = pam_chauthtok(pamh,
-- PAM_CHANGE_EXPIRED_AUTHTOK);
-- if (*pam_status == PAM_SUCCESS)
-- debug_return_int(AUTH_SUCCESS);
-- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
-+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-+ if (rc == PAM_SUCCESS)
-+ break;
-+ if ((s = pam_strerror(pamh, rc)) == NULL)
- s = "unknown error";
- log_warningx(0,
- N_("unable to change expired password: %s"), s);
-- debug_return_int(AUTH_FAILURE);
-+ status = AUTH_FAILURE;
-+ break;
- case PAM_AUTHTOK_EXPIRED:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt)
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- /* Password expired, cannot be updated by user. */
- log_warningx(0,
- N_("Password expired, contact your system administrator"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_ACCT_EXPIRED:
- log_warningx(0,
- N_("Account expired or PAM config lacks an \"account\" "
- "section for sudo, contact your system administrator"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_AUTHINFO_UNAVAIL:
- case PAM_MAXTRIES:
- case PAM_PERM_DENIED:
-- s = pam_strerror(pamh, *pam_status);
-+ s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
-- debug_return_int(AUTH_FAILURE);
-+ status = AUTH_FAILURE;
-+ break;
- default:
-- s = pam_strerror(pamh, *pam_status);
-+ s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- }
-+ /* Ignore errors if user is exempt from password restrictions. */
-+ *pam_status = exempt ? PAM_SUCCESS : rc;
-+ debug_return_int(status);
- }
-
- int
-
diff --git a/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch
new file mode 100644
index 0000000..94c46c8
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch
@@ -0,0 +1,344 @@
+unchanged:
+--- b/plugins/sudoers/auth/pam.c
++++ b/plugins/sudoers/auth/pam.c
+@@ -210,59 +210,71 @@
+ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+ const char *s;
++ int rc, status = AUTH_SUCCESS;
+ int *pam_status = (int *) auth->data;
+ debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+
+- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
+- switch (*pam_status) {
++ rc = pam_acct_mgmt(pamh, PAM_SILENT);
++ switch (rc) {
+ case PAM_SUCCESS:
+- debug_return_int(AUTH_SUCCESS);
++ break;
+ case PAM_AUTH_ERR:
+ log_warningx(0, N_("account validation failure, "
+ "is your account locked?"));
+- debug_return_int(AUTH_FATAL);
++ status = AUTH_FATAL;
++ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ /* Ignore if user is exempt from password restrictions. */
+- if (exempt)
+- debug_return_int(AUTH_SUCCESS);
++ if (exempt) {
++ rc = *pam_status;
++ break;
++ }
+ /* New password required, try to change it. */
+ log_warningx(0, N_("Account or password is "
+ "expired, reset your password and try again"));
+- *pam_status = pam_chauthtok(pamh,
+- PAM_CHANGE_EXPIRED_AUTHTOK);
+- if (*pam_status == PAM_SUCCESS)
+- debug_return_int(AUTH_SUCCESS);
+- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++ if (rc == PAM_SUCCESS)
++ break;
++ if ((s = pam_strerror(pamh, rc)) == NULL)
+ s = "unknown error";
+ log_warningx(0,
+ N_("unable to change expired password: %s"), s);
+- debug_return_int(AUTH_FAILURE);
++ status = AUTH_FAILURE;
++ break;
+ case PAM_AUTHTOK_EXPIRED:
+ /* Ignore if user is exempt from password restrictions. */
+- if (exempt)
+- debug_return_int(AUTH_SUCCESS);
++ if (exempt) {
++ rc = *pam_status;
++ break;
++ }
+ /* Password expired, cannot be updated by user. */
+ log_warningx(0,
+ N_("Password expired, contact your system administrator"));
+- debug_return_int(AUTH_FATAL);
++ status = AUTH_FATAL;
++ break;
+ case PAM_ACCT_EXPIRED:
+ log_warningx(0,
+ N_("Account expired or PAM config lacks an \"account\" "
+ "section for sudo, contact your system administrator"));
+- debug_return_int(AUTH_FATAL);
++ status = AUTH_FATAL;
++ break;
+ case PAM_AUTHINFO_UNAVAIL:
+ case PAM_MAXTRIES:
+ case PAM_PERM_DENIED:
+- s = pam_strerror(pamh, *pam_status);
++ s = pam_strerror(pamh, rc);
+ log_warningx(0, N_("PAM account management error: %s"),
+ s ? s : "unknown error");
+- debug_return_int(AUTH_FAILURE);
++ status = AUTH_FAILURE;
++ break;
+ default:
+- s = pam_strerror(pamh, *pam_status);
++ s = pam_strerror(pamh, rc);
+ log_warningx(0, N_("PAM account management error: %s"),
+ s ? s : "unknown error");
+- debug_return_int(AUTH_FATAL);
++ status = AUTH_FATAL;
++ break;
+ }
++ *pam_status = rc;
++ debug_return_int(status);
+ }
+
+ int
+unchanged:
+--- a/doc/sudoers.cat
++++ b/doc/sudoers.cat
+@@ -1286,6 +1286,17 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
+ well as the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section at the end
+ of this manual. This flag is _�o_�f_�f by default.
+
++ pam_acct_mgmt On systems that use PAM for authentication, s�su�ud�do�o will
++ perform PAM account validation for the invoking user by
++ default. The actual checks performed depend on which
++ PAM modules are configured. If enabled, account
++ validation will be performed regardless of whether or
++ not a password is required. This flag is _�o_�n by
++ default.
++
++ This setting is only supported by version 1.8.28 or
++ higher.
++
+ pam_session On systems that use PAM for authentication, s�su�ud�do�o will
+ create a new PAM session for the command to be run in.
+ Disabling _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n may be needed on older PAM
+unchanged:
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -2722,6 +2722,19 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
++pam_acct_mgmt
++On systems that use PAM for authentication,
++\fBsudo\fR
++will perform PAM account validation for the invoking user by default.
++The actual checks performed depend on which PAM modules are configured.
++If enabled, account validation will be performed regardless of whether
++or not a password is required.
++This flag is
++\fIon\fR
++by default.
++.sp
++This setting is only supported by version 1.8.28 or higher.
++.TP 18n
+ pam_session
+ On systems that use PAM for authentication,
+ \fBsudo\fR
+unchanged:
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -2560,6 +2560,18 @@ section at the end of this manual.
+ This flag is
+ .Em off
+ by default.
++.It pam_acct_mgmt
++On systems that use PAM for authentication,
++.Nm sudo
++will perform PAM account validation for the invoking user by default.
++The actual checks performed depend on which PAM modules are configured.
++If enabled, account validation will be performed regardless of whether
++or not a password is required.
++This flag is
++.Em on
++by default.
++.Pp
++This setting is only supported by version 1.8.28 or higher.
+ .It pam_session
+ On systems that use PAM for authentication,
+ .Nm sudo
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100
++++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200
+@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud
+ int *pam_status = (int *) auth->data;
+ debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+
+- rc = pam_acct_mgmt(pamh, PAM_SILENT);
+- switch (rc) {
+- case PAM_SUCCESS:
+- break;
+- case PAM_AUTH_ERR:
+- log_warningx(0, N_("account validation failure, "
+- "is your account locked?"));
+- status = AUTH_FATAL;
+- break;
+- case PAM_NEW_AUTHTOK_REQD:
+- /* Ignore if user is exempt from password restrictions. */
+- if (exempt) {
+- rc = *pam_status;
+- break;
+- }
+- /* New password required, try to change it. */
+- log_warningx(0, N_("Account or password is "
+- "expired, reset your password and try again"));
+- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+- if (rc == PAM_SUCCESS)
+- break;
+- if ((s = pam_strerror(pamh, rc)) == NULL)
+- s = "unknown error";
+- log_warningx(0,
+- N_("unable to change expired password: %s"), s);
+- status = AUTH_FAILURE;
+- break;
+- case PAM_AUTHTOK_EXPIRED:
+- /* Ignore if user is exempt from password restrictions. */
+- if (exempt) {
+- rc = *pam_status;
+- break;
+- }
+- /* Password expired, cannot be updated by user. */
+- log_warningx(0,
+- N_("Password expired, contact your system administrator"));
+- status = AUTH_FATAL;
+- break;
+- case PAM_ACCT_EXPIRED:
+- log_warningx(0,
+- N_("Account expired or PAM config lacks an \"account\" "
+- "section for sudo, contact your system administrator"));
+- status = AUTH_FATAL;
+- break;
+- case PAM_AUTHINFO_UNAVAIL:
+- case PAM_MAXTRIES:
+- case PAM_PERM_DENIED:
+- s = pam_strerror(pamh, rc);
+- log_warningx(0, N_("PAM account management error: %s"),
+- s ? s : "unknown error");
+- status = AUTH_FAILURE;
+- break;
+- default:
+- s = pam_strerror(pamh, rc);
+- log_warningx(0, N_("PAM account management error: %s"),
+- s ? s : "unknown error");
+- status = AUTH_FATAL;
+- break;
++ if (def_pam_acct_mgmt) {
++ rc = pam_acct_mgmt(pamh, PAM_SILENT);
++ switch (rc) {
++ case PAM_SUCCESS:
++ break;
++ case PAM_AUTH_ERR:
++ log_warningx(0, N_("account validation failure, "
++ "is your account locked?"));
++ status = AUTH_FATAL;
++ break;
++ case PAM_NEW_AUTHTOK_REQD:
++ /* Ignore if user is exempt from password restrictions. */
++ if (exempt) {
++ rc = *pam_status;
++ break;
++ }
++ /* New password required, try to change it. */
++ log_warningx(0, N_("Account or password is "
++ "expired, reset your password and try again"));
++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++ if (rc == PAM_SUCCESS)
++ break;
++ if ((s = pam_strerror(pamh, rc)) == NULL)
++ s = "unknown error";
++ log_warningx(0,
++ N_("unable to change expired password: %s"), s);
++ status = AUTH_FAILURE;
++ break;
++ case PAM_AUTHTOK_EXPIRED:
++ /* Ignore if user is exempt from password restrictions. */
++ if (exempt) {
++ rc = *pam_status;
++ break;
++ }
++ /* Password expired, cannot be updated by user. */
++ log_warningx(0,
++ N_("Password expired, contact your system administrator"));
++ status = AUTH_FATAL;
++ break;
++ case PAM_ACCT_EXPIRED:
++ log_warningx(0,
++ N_("Account expired or PAM config lacks an \"account\" "
++ "section for sudo, contact your system administrator"));
++ status = AUTH_FATAL;
++ break;
++ case PAM_AUTHINFO_UNAVAIL:
++ case PAM_MAXTRIES:
++ case PAM_PERM_DENIED:
++ s = pam_strerror(pamh, rc);
++ log_warningx(0, N_("PAM account management error: %s"),
++ s ? s : "unknown error");
++ status = AUTH_FAILURE;
++ break;
++ default:
++ s = pam_strerror(pamh, rc);
++ log_warningx(0, N_("PAM account management error: %s"),
++ s ? s : "unknown error");
++ status = AUTH_FATAL;
++ break;
++ }
++ *pam_status = rc;
+ }
+- *pam_status = rc;
+ debug_return_int(status);
+ }
+
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200
++++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200
+@@ -642,6 +642,7 @@ init_defaults(void)
+ if ((def_editor = strdup(EDITOR)) == NULL)
+ goto oom;
+ def_set_utmp = true;
++ def_pam_acct_mgmt = true;
+ def_pam_setcred = true;
+ def_syslog_maxlen = MAXSYSLOGLEN;
+ def_case_insensitive_user = true;
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200
++++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200
+@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Don't fork and wait for the command to finish, just exec it"),
+ NULL,
+ }, {
++ "pam_acct_mgmt", T_FLAG,
++ N_("Perform PAM account validation management"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200
++++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200
+@@ -230,6 +230,8 @@
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+ #define I_CMND_NO_WAIT 115
+ #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
++#define I_PAM_ACCT_MGMT 116
++#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
+
+ enum def_tuple {
+ never,
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200
++++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200
+@@ -363,3 +363,6 @@ legacy_group_processing
+ cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
++pam_acct_mgmt
++ T_FLAG
++ "Perform PAM account validation management"
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 8c4abb5..ce0645b 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.23
-Release: 4%{?dist}.2
+Release: 9%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -52,18 +52,23 @@ Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
-# 1672876 - Backporting sudo bug with expired passwords
-Patch10: sudo-1.8.23-pam-expired-passwords.patch
+# 1647678 - sudo access denied with pam_access and pts terminal configurations
+# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch
+Patch10: sudo-1.8.23-pam_access-and-terminals.patch
+
# 1665285 - Problem with sudo-1.8.23 and 'who am i'
Patch11: sudo-1.8.23-who-am-i.patch
-# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.7.z]
-Patch12: sudo-1.8.28-CVE-strtouid.patch
-Patch13: sudo-1.8.28-CVE-strtouid-test.patch
+# 1738841 - Crash in do_syslog() while doing sudoedit
+Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch
+
+# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8]
+Patch13: sudo-1.8.28-CVE-strtouid.patch
+Patch14: sudo-1.8.28-CVE-strtouid-test.patch
-# 1798094 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.7.z]
-Patch14: sudo-1.8.29-CVE-2019-18634-part1.patch
-Patch15: sudo-1.8.29-CVE-2019-18634-part2.patch
+# 1798095 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.8]
+Patch15: sudo-1.8.29-CVE-2019-18634-part1.patch
+Patch16: sudo-1.8.29-CVE-2019-18634-part2.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -98,14 +103,16 @@ plugins that use %{name}.
%patch8 -p1 -b .pam-mgmt-ignore-errors
%patch9 -p1 -b .defaults-double-quote-fix
-%patch10 -p1 -b .pam-expired
+%patch10 -p1 -b .pam_access-and-terminals
+
%patch11 -p1 -b .who-am-i
+%patch12 -p1 -b .do_syslog-username
-%patch12 -p1 -b .CVE-strtouid
-%patch13 -p1 -b .CVE-strtouid-test
+%patch13 -p1 -b .CVE-strtouid
+%patch14 -p1 -b .CVE-strtouid-test
-%patch14 -p1 -b .CVE-2019-18634-part1
-%patch15 -p1 -b .CVE-2019-18634-part2
+%patch15 -p1 -b .CVE-2019-18634-part1
+%patch16 -p1 -b .CVE-2019-18634-part2
%build
autoreconf -I m4 -fv --install
@@ -179,7 +186,6 @@ auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
-session required pam_limits.so
session include system-auth
EOF
@@ -189,7 +195,6 @@ auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
-session required pam_limits.so
session include sudo
EOF
@@ -244,15 +249,27 @@ rm -rf %{buildroot}
%{_mandir}/man8/sudo_plugin.8*
%changelog
-* Thu Feb 06 2020 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.2
-- RHEL 7.7.z
-- fixed CVE-2019-18634
- Resolves: rhbz#1798094
+* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.23-9
+- RHEL-7.8
+- CVE-2019-18634
+ Resolves: rhbz#1798095
-* Wed Oct 16 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.1
-- RHEL-7.7.z
+* Thu Oct 17 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-8
+- RHEL-7.8
- fixed CVE-2019-14287
- Resolves: rhbz#1760694
+ Resolves: rhbz#1760695
+
+* Thu Aug 22 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-7
+- RHEL-7.8 erratum
+ Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit
+
+* Mon Aug 19 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-6
+- RHEL-7.8 erratum
+ Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations
+
+* Mon Aug 12 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-5
+- RHEL-7.8 erratum
+ Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries
* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
- RHEL-7.7 erratum