diff --git a/.gitignore b/.gitignore
index 04f884a..ad1c23e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,11 @@
 /sudo-1.8.16.tar.gz
 /sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
+/sudo-1.8.18p1.tar.gz
+/sudo-1.8.19p2.tar.gz
+/sudo-1.8.20p1.tar.gz
+/sudo-1.8.20p2.tar.gz
+/sudo-1.8.21p2.tar.gz
diff --git a/sources b/sources
index 9534406..a15d86f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-50a840a688ceb6fa3ab24fc0adf4fa23  sudo-1.8.17p1.tar.gz
+SHA512 (sudo-1.8.21p2.tar.gz) = f04bbff54ad74ba73c078e15c75d2f41332d4912078ed66157ba7346b7fff914bd0747460cb4cd0c472af2d3b344fa72f5c62c95169df68a9cac74d7245c720c
diff --git a/sudo-1.8.14p1-ldapconfpatch.patch b/sudo-1.8.14p1-ldapconfpatch.patch
deleted file mode 100644
index f42d487..0000000
--- a/sudo-1.8.14p1-ldapconfpatch.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
---- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch	2015-07-07 18:51:11.000000000 +0200
-+++ sudo-1.8.14b3/plugins/sudoers/ldap.c	2015-07-09 11:03:25.686645581 +0200
-@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
- }
- #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
- 
-+/*
-+ * Read a line of input, remove whole line comments and strip off leading
-+ * and trailing spaces.  Returns static storage that is reused.
-+ */
-+static char *
-+sudo_ldap_parseln(fp)
-+    FILE *fp;
-+{
-+    size_t len;
-+    char *cp = NULL;
-+    static char buf[LINE_MAX];
-+
-+    if (fgets(buf, sizeof(buf), fp) != NULL) {
-+	/* Remove comments */
-+	if (*buf == '#')
-+	    *buf = '\0';
-+
-+	/* Trim leading and trailing whitespace/newline */
-+	len = strlen(buf);
-+	while (len > 0 && isspace((unsigned char)buf[len - 1]))
-+	    buf[--len] = '\0';
-+	for (cp = buf; isblank(*cp); cp++)
-+	    continue;
-+    }
-+    return(cp);
-+}
-+
- static bool
- sudo_ldap_read_config(void)
- {
-@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
-     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
- 	debug_return_bool(false);
- 
--    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
-+    while ((line = sudo_ldap_parseln(fp)) != NULL) {
- 	if (*line == '\0')
- 	    continue;		/* skip empty line */
- 
-@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
- 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
- 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
-     }
--    free(line);
-+
-     fclose(fp);
- 
-     if (!ldap_conf.host) {
diff --git a/sudo.spec b/sudo.spec
index b0a0802..782455d 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,11 +1,11 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.17p1
+Version: 1.8.21p2
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
-URL: http://www.courtesan.com/sudo/
-Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
+URL: https://www.sudo.ws/
+Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: /etc/pam.d/system-auth
@@ -26,8 +26,6 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# Patch to read ldap.conf more closely to nss_ldap
-Patch2: sudo-1.8.14p1-ldapconfpatch.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -53,7 +51,6 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .ldapconfpatch
 
 %build
 # Remove bundled copy of zlib
@@ -73,6 +70,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
         --docdir=%{_pkgdocdir} \
+        --disable-root-mailer \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -102,6 +100,12 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+#add sudo to protected packages
+install -p -d -m 755 $RPM_BUILD_ROOT/etc/yum/protected.d/
+touch sudo.conf
+echo sudo > sudo.conf
+install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/yum/protected.d/
+rm -f sudo.conf
 
 chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
 
@@ -117,6 +121,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
 #Remove all .la files
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
+# Remove sudoers.dist
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist
+
 %find_lang sudo
 %find_lang sudoers
 
@@ -154,6 +161,7 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
+%attr(0644,root,root) /etc/yum/protected.d/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
@@ -168,6 +176,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
 %{_libexecdir}/sudo/libsudo_util.so.?
+%{_libexecdir}/sudo/libsudo_util.so
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@@ -191,9 +200,36 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
-%{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1
+- update to 1.8.21p2
+- Moved libsudo_util.so from the -devel sub-package to main package (1481225)
+
+* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1
+- update to 1.8.20p2
+- added sudo to dnf/yum protected packages
+
+* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1
+- update to 1.8.20p1
+- fixes CVE-2017-1000367
+  Resolves: rhbz#1456884
+
+* Mon Apr 03 2017 Jiri Vymazal <jvymazal@redhat.com> 1.8.19p2-1
+- update to 1.8.19p2
+- updated URL and source0 as upstream changed domain
+
+* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.18p1-1
+- update to 1.8.18p1
+- fixes CVE-2016-7076
+
+* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
+- update to 1.8.18
+- dropped sudo-1.8.14p1-ldapconfpatch.patch
+  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
+- added --disable-root-mailer as configure option
+  Resolves: rhbz#1324091
+
 * Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
 - update to 1.8.17p1
 - install the /var/db/sudo/lectured