diff --git a/.gitignore b/.gitignore
index cac4495..8ab0a58 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,9 @@
 /sudo-1.8.28.tar.gz
 /sudo-1.8.28p1.tar.gz
 /sudo-1.8.29.tar.gz
+/sudo-1.9.0b1.tar.gz
+/sudo-1.9.0b4.tar.gz
+/sudo-1.9.2.tar.gz
+/sudo-1.9.3p1.tar.gz
+/sudo-1.9.5p1.tar.gz
+/sudo-1.9.5p2.tar.gz
diff --git a/sources b/sources
index d6aec86..e39bcb4 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
+SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
diff --git a/sudo.spec b/sudo.spec
index f929cc0..acd2ff1 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,13 +1,14 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.29
-Release: 2%{?dist}
+Version: 1.9.5p2
+Release: 1%{?dist}
 License: ISC
-URL: http://www.courtesan.com/sudo/
-Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
+URL: https://www.sudo.ws
+Source0: %{url}/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Requires: pam
 Recommends: vim-minimal
+Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}
 Requires(post): coreutils
 
 BuildRequires: pam-devel
@@ -44,6 +45,26 @@ Requires:       %{name} = %{version}-%{release}
 The %{name}-devel package contains header files developing sudo
 plugins that use %{name}.
 
+
+%package        logsrvd
+Summary:        High-performance log server for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  openssl-devel
+
+
+%description    logsrvd
+%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
+It can be used to implement centralized logging of sudo logs.
+
+%package        python-plugin
+Summary:        Python plugin for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  python3-devel
+
+
+%description    python-plugin
+%{name}-python-plugin allows using sudo plugins written in Python.
+
 %prep
 %setup -q
 
@@ -67,6 +88,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
         --docdir=%{_pkgdocdir} \
+        --enable-openssl \
         --disable-root-mailer \
         --with-logging=syslog \
         --with-logfac=authpriv \
@@ -79,6 +101,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --with-ldap \
         --with-selinux \
         --with-passprompt="[sudo] password for %p: " \
+        --enable-python \
         --with-linux-audit \
         --with-sssd
 #       --without-kerb5 \
@@ -151,7 +174,8 @@ EOF
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
-%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
+%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
@@ -163,7 +187,9 @@ EOF
 %attr(0755,root,root) %{_libexecdir}/sudo/sesh
 %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
+%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
 %{_libexecdir}/sudo/libsudo_util.so.?
@@ -188,7 +214,71 @@ EOF
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
 
+%files logsrvd
+%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
+%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
+%attr(0755,root,root) %{_sbindir}/sudo_sendlog
+%{_mandir}/man5/sudo_logsrv.proto.5.gz
+%{_mandir}/man5/sudo_logsrvd.conf.5.gz
+%{_mandir}/man8/sudo_logsrvd.8.gz
+%{_mandir}/man8/sudo_sendlog.8.gz
+
+%files python-plugin
+%{_mandir}/man8/sudo_plugin_python.8.gz
+%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
+
 %changelog
+* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1
+- rebase to 1.9.5p2
+Resolves: rhbz#1920611
+- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
+Resolves: rhbz#1920618
+
+* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
+- rebase to 1.9.5p1
+-  updated sudo url
+Resolves: rhbz#1902758
+- enabled python plugin as a subpackage
+Resolves: rhbz#1909299
+- fixed double free in sss_to_sudoers
+Resolves: rhbz#1885874
+- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
+Resolves: rhbz#1915055
+- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
+Resolves: rhbz#1915054
+
+* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
+- rebase to 1.9.2
+Resolves: rhbz#1859577
+- added logsrvd subpackage
+- added openssl-devel buildrequires
+Resolves: rhbz#1860653
+- fixed sudo runstatedir path
+- it was generated as /sudo instead of /run/sudo
+Resolves: rhbz#1868215
+- added /var/lib/snapd/snap/bin to secure_path variable
+Resolves: rhbz#1691996
+
+* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
+- update to latest development version 1.9.0b4
+Resolves: rhbz#1816593
+- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
+Resolves: rhbz#1773148
+
+* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
+- update to latest development version 1.9.0b1
+- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
+Resolves: rhbz#1787823
+- Stack based buffer overflow in when pwfeedback is enabled
+Resolves: rhbz#1796945
+- fixes: CVE-2019-18634 
+- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
+Resolves: rhbz#1786709
+- fixes CVE-2019-19234
+- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
+Resolves: rhbz#1786705
+- fixes CVE-2019-19232
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/sudoers b/sudoers
index 29775ad..5f621a8 100644
--- a/sudoers
+++ b/sudoers
@@ -85,7 +85,7 @@ Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
 #
 # Defaults   env_keep += "HOME"
 
-Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
 
 ## Next comes the main part: which users can run what software on 
 ## which machines (the sudoers file can be shared between multiple