diff --git a/dist b/dist
index 535c6900412d365bb0ff6de8d1f27110833b3ae3..9c0e36ec42a2d9bfefacb21ac6354c9ddd910533 100644
--- a/dist
+++ b/dist
@@ -1 +1 @@
-an8_7
+an8
diff --git a/sha-digest-calc.patch b/sha-digest-calc.patch
new file mode 100644
index 0000000000000000000000000000000000000000..affab8bc6e62aa0f28fd18bed9fb7524dce5a6fb
--- /dev/null
+++ b/sha-digest-calc.patch
@@ -0,0 +1,26 @@
+From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
+From: Tim Shearer <timtimminz@gmail.com>
+Date: Tue, 2 Aug 2022 08:48:32 -0400
+Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
+
+Resolves an issue where certain message sizes result in an incorrect
+checksum. Specifically, when:
+(n*8) mod 1024 == 896
+where n is the file size in bytes.
+---
+ lib/util/sha2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/util/sha2.c b/lib/util/sha2.c
+index b7a28cca8..f769f77f2 100644
+--- a/lib/util/sha2.c
++++ b/lib/util/sha2.c
+@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
+ 	SHA512Update(ctx, (uint8_t *)"\200", 1);
+ 
+ 	/* Pad message such that the resulting length modulo 1024 is 896. */
+-	while ((ctx->count[0] & 1008) != 896)
++	while ((ctx->count[0] & 1016) != 896)
+ 		SHA512Update(ctx, (uint8_t *)"\0", 1);
+ 
+ 	/* Append length of message in bits and do final SHA512Transform(). */
diff --git a/sudo-1.9.12p1-CVE-2022-43955.patch b/sudo-1.9.12p1-CVE-2022-43955.patch
deleted file mode 100644
index 57b9233001ce6aceb0b84d3ce6c163368d45d1f9..0000000000000000000000000000000000000000
--- a/sudo-1.9.12p1-CVE-2022-43955.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff -aruN sudo-1.8.29/plugins/sudoers/auth/passwd.c sudo-1.8.29-new/plugins/sudoers/auth/passwd.c
---- sudo-1.8.29/plugins/sudoers/auth/passwd.c	2023-03-17 03:39:35.003302022 +0800
-+++ sudo-1.8.29-new/plugins/sudoers/auth/passwd.c	2023-03-17 03:43:44.088284483 +0800
-@@ -63,7 +63,7 @@
- int
- sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
- {
--    char sav, *epass;
-+    char des_pass[9], *epass;
-     char *pw_epasswd = auth->data;
-     size_t pw_len;
-     int matched = 0;
-@@ -75,20 +75,19 @@
- 
-     /*
-      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
--     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
-      */
--    sav = pass[8];
-     pw_len = strlen(pw_epasswd);
--    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
--	pass[8] = '\0';
- 
-+    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
-+           strlcpy(des_pass, pass, sizeof(des_pass));
-+           pass = des_pass;
-+    }
-     /*
-      * Normal UN*X password check.
-      * HP-UX may add aging info (separated by a ',') at the end so
-      * only compare the first DESLEN characters in that case.
-      */
-     epass = (char *) crypt(pass, pw_epasswd);
--    pass[8] = sav;
-     if (epass != NULL) {
- 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
- 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
diff --git a/sudo.spec b/sudo.spec
index c2c996f1e6b7da8fe5d86f9c68a047624192a860..678ac5f37bb2bd67cb854e2c26efe3df2e4b1d9c 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,8 +1,7 @@
-%define anolis_release .0.1
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 8%{anolis_release}%{?dist}.1
+Release: 10%{?dist}
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@@ -77,11 +76,12 @@ Patch21: sudo-1.9.7-krb5ccname.patch
 # 1986572 - utmp resource leak in sudo
 Patch22: sudo-1.9.7-utmp-leak.patch
 
-# 2161220 - EMBARGOED CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user [rhel-8.7.0]
+# 2114576 - sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
+Patch23: sha-digest-calc.patch
+# 2161221 - EMBARGOED CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user [rhel-8.8.0]
 Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch
 Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch
 Patch26: sudo-1.9.12-CVE-2023-22809.patch
-Patch27: sudo-1.9.12p1-CVE-2022-43955.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -135,10 +135,10 @@ plugins that use %{name}.
 %patch21 -p1 -b .krb5ccname
 %patch22 -p1 -b .utmp-leak
 
+%patch23 -p1 -b .sha-digest
 %patch24 -p1 -b .whitelist
 %patch25 -p1 -b .backports
 %patch26 -p1 -b .cve
-%patch27 -p1 -b .CVE-2022-43955
 
 %build
 # Remove bundled copy of zlib
@@ -298,13 +298,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
-* Fri Mar 17 2023 guo chuang <guo.chuang@zte.com.cn> - 1.8.29-8.0.1.1
-- add patch for CVE-2022-43955
-
-* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8.1
-RHEL 8.7.0.Z ERRATUM
+* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.8.29.9
+RHEL 8.8.0 ERRATUM
 - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
-Resolves: rhbz#2161220
+Resolves: rhbz#2161221
+- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
+Resolves: rhbz#2114576
 
 * Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
 RHEL 8.6.0 ERRATUM