--- sudo.man.in
+++ sudo.man.in
@@ -180,8 +180,8 @@
 specified).  If the invoking user is root or if the target user is
 the same as the invoking user, no password is required.  Otherwise,
 \&\fBsudo\fR requires that users authenticate themselves with a password
-by default (\s-1NOTE:\s0 in the default configuration this is the user's
-password, not the root password).  Once a user has been authenticated,
+by default (\s-1NOTE:\s0 in the default configuration this is the root
+password, not the user's password).  Once a user has been authenticated,
 a timestamp is updated and the user may then use sudo without a
 password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
 overridden in \fIsudoers\fR).
--- sudoers
+++ sudoers
@@ -15,6 +15,26 @@
 
 # Defaults specification
 
+# Prevent environment variables from influencing programs in an
+# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+# Change env_reset to !env_reset in previous line to keep all environment variables
+# Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+# Comment out the preceding line and uncomment the following one if you need
+# to use special input methods. This may allow users to compromise  the root
+# account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+# In the default (unconfigured) configuration, sudo asks for the root password.
+# This allows use of an ordinary user account for administration of a freshly
+# installed system. When configuring sudo, delete the two
+# following lines:
+Defaults targetpw   # ask for the password of the target user i.e. root
+ALL	ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+
 # Runas alias specification
 
 # User privilege specification