diff --git a/sudo-1.8.27.tar.gz b/sudo-1.8.27.tar.gz
deleted file mode 100644
index cf9703c..0000000
--- a/sudo-1.8.27.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd33e2ec0
-size 3293178
diff --git a/sudo-1.8.27.tar.gz.sig b/sudo-1.8.27.tar.gz.sig
deleted file mode 100644
index 41c9a33..0000000
Binary files a/sudo-1.8.27.tar.gz.sig and /dev/null differ
diff --git a/sudo-1.8.28p1.tar.gz b/sudo-1.8.28p1.tar.gz
new file mode 100644
index 0000000..4585690
--- /dev/null
+++ b/sudo-1.8.28p1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23ba5a84af31e3b5ded58d4be6d3f6939a495a55561fba92c6941b79a6e8b027
+size 3310254
diff --git a/sudo-1.8.28p1.tar.gz.sig b/sudo-1.8.28p1.tar.gz.sig
new file mode 100644
index 0000000..3ad4428
Binary files /dev/null and b/sudo-1.8.28p1.tar.gz.sig differ
diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch
index 8a8e873..33f8018 100644
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@@ -1,7 +1,7 @@
-Index: sudo-1.8.14p3/plugins/sudoers/sudoers.in
+Index: sudo-1.8.28/plugins/sudoers/sudoers.in
 ===================================================================
---- sudo-1.8.14p3.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.8.14p3/plugins/sudoers/sudoers.in
+--- sudo-1.8.28.orig/plugins/sudoers/sudoers.in	2019-10-14 17:00:02.176362373 +0200
++++ sudo-1.8.28/plugins/sudoers/sudoers.in	2019-10-14 17:00:04.688378325 +0200
 @@ -32,30 +32,23 @@
  ##
  ## Defaults specification
@@ -82,20 +82,20 @@ Index: sudo-1.8.14p3/plugins/sudoers/sudoers.in
  ## Read drop-in files from @sysconfdir@/sudoers.d
  ## (the '#' here does not indicate a comment)
  #includedir @sysconfdir@/sudoers.d
-Index: sudo-1.8.14p3/doc/sudoers.mdoc.in
+Index: sudo-1.8.28/doc/sudoers.mdoc.in
 ===================================================================
---- sudo-1.8.14p3.orig/doc/sudoers.mdoc.in
-+++ sudo-1.8.14p3/doc/sudoers.mdoc.in
-@@ -1711,7 +1711,7 @@ is present in the
+--- sudo-1.8.28.orig/doc/sudoers.mdoc.in	2019-10-14 17:00:02.176362373 +0200
++++ sudo-1.8.28/doc/sudoers.mdoc.in	2019-10-14 17:03:30.841685660 +0200
+@@ -1972,7 +1972,7 @@ is present in the
  .Em env_keep
- list.
+ list, both of which are strongly discouraged.
  This flag is
 -.Em off
 +.Em on
  by default.
  .It authenticate
  If set, users must authenticate themselves via a password (or other
-@@ -2027,7 +2027,7 @@ If set,
+@@ -2364,7 +2364,7 @@ If set,
  .Nm sudo
  will insult users when they enter an incorrect password.
  This flag is
@@ -104,7 +104,7 @@ Index: sudo-1.8.14p3/doc/sudoers.mdoc.in
  by default.
  .It log_host
  If set, the host name will be logged in the (non-syslog)
-@@ -2508,7 +2508,7 @@ database as an argument to the
+@@ -2941,7 +2941,7 @@ database as an argument to the
  .Fl u
  option.
  This flag is
diff --git a/sudo.changes b/sudo.changes
index d7bbf9c..a32caec 100644
--- a/sudo.changes
+++ b/sudo.changes
@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Wed Oct 16 15:08:29 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.8,28p1
+  * The fix for Bug #869 caused "sudo -v" to prompt for a password
+    when "verifypw" is set to "all" (the default) and all of the
+    user's sudoers entries are marked with NOPASSWD.  Bug #901.
+
+-------------------------------------------------------------------
+Mon Oct 14 15:10:21 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.8.28
+ * Fixed CVE-2019-14287 (bsc#1153674),
+   a bug where a sudo user may be able to
+   run a command as root when the Runas specification explicitly
+   disallows root access as long as the ALL keyword is listed first.
+   * Sudo will now only set PAM_TTY to the empty string when no
+   terminal is present on Solaris and Linux.  This workaround is
+   only needed on those systems which may have PAM modules that
+   misbehave when PAM_TTY is not set.
+ * The mailerflags sudoers option now has a default value even if
+   sendmail support was disabled at configure time.  Fixes a crash
+   when the mailerpath sudoers option is set but mailerflags is not.
+   Bug #878.
+ * Sudo will now filter out last login messages on HP-UX unless it
+   a shell is being run via "sudo -s" or "sudo -i".  Otherwise,
+   when trusted mode is enabled, these messages will be displayed
+   for each command.
+ * Sudo has a new -B command line option that will ring the terminal
+   bell when prompting for a password.
+ * Sudo no longer refuses to prompt for a password when it cannot
+   determine the user's terminal as long as it can open /dev/tty.
+   This allows sudo to function on systems where /proc is unavailable,
+   such as when running in a chroot environment.
+ * The "env_editor" sudoers flag is now on by default.  This makes
+   source builds more consistent with the packages generated by
+   sudo's mkpkg script.
+ * Fixed a bad interaction with configure's --prefix and
+   --disable-shared options.  Bug #886.
+ * More verbose error message when a password is required and no terminal
+   is present.  Bug #828.
+ * Command tags, such as NOPASSWD, are honored when a user tries to run a
+   command that is allowed by sudoers but which does not actually
+   exist on the file system.  Bug #888.
+ * I/O log timing files now store signal suspend and resume information
+   in the form of a signal name instead of a number.
+ * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring
+   the value of "ipa_hostname" from sssd.conf, if specified, when
+   matching the host name.
+ * Fixed a bug introduced in 1.8.21 that prevented the core dump
+   resource limit set in the pam_limits module from taking effect.
+   Bug #894.
+ * Fixed parsing of double-quoted Defaults group and netgroup bindings.
+ * The user ID is now used when matching sudoUser attributes in LDAP.
+   Previously, the user name, group name and group IDs were used
+   when matching but not the user ID.
+ * Sudo now writes PAM messages to the user's terminal, if available,
+   instead of the standard output or standard error.  This prevents
+   PAM output from being intermixed with that of the command when
+   output is sent to a file or pipe.  Bug #895.
+ * Sudoedit now honors the umask and umask_override settings in sudoers.
+   Previously, the user's umask was used as-is.
+ * Fixed a bug where the terminal's file context was not restored
+   when using SELinux RBAC.  Bug #898.
+- refresh sudo-sudoers.patch
+
 -------------------------------------------------------------------
 Sun Aug 18 08:08:52 UTC 2019 - Oliver Kurz <okurz@suse.com>
 
diff --git a/sudo.spec b/sudo.spec
index 92fae33..b78acf7 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.8.27
+Version:        1.8.28p1
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -173,9 +173,10 @@ chmod 0440 %{_sysconfdir}/sudoers
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/sesh
 %{_libexecdir}/%{name}/sudo_noexec.so
-%{_libexecdir}/%{name}/sudoers.so
-%{_libexecdir}/%{name}/group_file.so
-%{_libexecdir}/%{name}/system_group.so
+%dir %{_libexecdir}/%{name}/%{name}
+%{_libexecdir}/%{name}/%{name}/sudoers.so
+%{_libexecdir}/%{name}/%{name}/group_file.so
+%{_libexecdir}/%{name}/%{name}/system_group.so
 %{_libexecdir}/%{name}/libsudo_util.so.*
 %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
 %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
@@ -187,6 +188,7 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8%{?ext_man}
 %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
+%{_libexecdir}/%{name}/sudo/*.la
 %{_libexecdir}/%{name}/*.la
 
 %files test