diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md
new file mode 100644
index 0000000000..2b4b1d02cf
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md
@@ -0,0 +1 @@
+- shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md
new file mode 100644
index 0000000000..2c621b4181
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md
@@ -0,0 +1 @@
+- shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index df8d6d701f..57f2da854f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -139,3 +139,9 @@ dev-libs/openssl fips
 
 # enables ELF support to e.g. allow tc to handle BPF filters.
 sys-apps/iproute2 elf
+
+# Enable su for shadow, because shadow >= 4.11 does not have it by default.
+# Ideally util-linux should have the su binary, but that is currently not
+# possible, because of a bunch of additional dependencies in SDK like
+# pam_sssd in baselayout.
+sys-apps/shadow su
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
index e78c96da24..d6747cbe3b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
@@ -1 +1 @@
-DIST shadow-4.8.tar.xz 1609060 BLAKE2B 9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f SHA512 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece
+DIST shadow-4.11.1.tar.xz 1656584 BLAKE2B d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588 SHA512 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
deleted file mode 100644
index 08382fcb95..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 97839741..ff153d92 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -2,8 +2,8 @@
- EXTRA_DIST = \
- 	.indent.pro
- 
--ubindir = ${bindir}
--usbindir = ${sbindir}
-+ubindir = ${prefix}/bin
-+usbindir = ${prefix}/sbin
- suidperms = 4755
- sgidperms = 2755
- 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
index 908eabb59f..732ee860c2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
@@ -9,7 +9,9 @@
 		<flag name="bcrypt">build the bcrypt password encryption algorithm</flag>
 		<flag name="su">build the su program</flag>
 	</use>
-	<!-- only for USE=pam -->
+	<slots>
+		<subslots>Reflect ABI of libsubids.so</subslots>
+	</slots>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:debian:shadow</remote-id>
 		<remote-id type="github">shadow-maint/shadow</remote-id>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
similarity index 85%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
index 8419e240b0..4570e82f7e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
@@ -1,19 +1,20 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
 TMPFILES_OPTIONAL=1
-inherit autotools libtool pam systemd tmpfiles
+inherit libtool pam systemd tmpfiles
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
-SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz"
 
 LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86"
-IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr"
+# Subslot is for libsubid's SONAME.
+SLOT="0/4"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
@@ -24,6 +25,7 @@ BDEPEND="
 	sys-devel/gettext
 "
 COMMON_DEPEND="
+	virtual/libcrypt:=
 	acl? ( sys-apps/acl:0= )
 	audit? ( >=sys-process/audit-2.6:0= )
 	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
@@ -40,26 +42,33 @@ DEPEND="${COMMON_DEPEND}
 	>=sys-kernel/linux-headers-4.14
 "
 RDEPEND="${COMMON_DEPEND}
+	!<sys-apps/man-pages-5.11-r1
+	!=sys-apps/man-pages-5.12-r0
+	!=sys-apps/man-pages-5.12-r1
+	nls? (
+		!<app-i18n/man-pages-it-5.06-r1
+		!<app-i18n/man-pages-ja-20180315-r1
+		!<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1
+	)
 	pam? ( >=sys-auth/pambase-20150213 )
 	su? ( !sys-apps/util-linux[su(-)] )
 "
 
 PATCHES=(
 	"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
-	"${FILESDIR}/${P}-revert-bin-merge.patch"
 )
 
 src_prepare() {
 	default
-	eautoreconf
-	#elibtoolize
+
+	#eautoreconf
+	elibtoolize
 }
 
 src_configure() {
 	local myeconfargs=(
 		--disable-account-tools-setuid
-		--enable-shared=no
-		--enable-static=yes
+		--disable-static
 		--with-btrfs
 		--without-group-name-max-length
 		--without-tcb
@@ -77,8 +86,6 @@ src_configure() {
 	)
 	econf "${myeconfargs[@]}"
 
-	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
-
 	if use nls ; then
 		local l langs="po" # These are the pot files.
 		for l in ${LANGS[*]} ; do
@@ -89,7 +96,7 @@ src_configure() {
 }
 
 set_login_opt() {
-	local comment="" opt=$1 val=$2
+	local comment="" opt=${1} val=${2}
 	if [[ -z ${val} ]]; then
 		comment="#"
 		sed -i \
@@ -107,12 +114,10 @@ set_login_opt() {
 src_install() {
 	emake DESTDIR="${D}" suidperms=4711 install
 
-	# Remove libshadow and libmisc; see bug 37725 and the following
-	# comment from shadow's README.linux:
-	#   Currently, libshadow.a is for internal use only, so if you see
-	#   -lshadow in a Makefile of some other package, it is safe to
-	#   remove it.
-	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+	# 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
+	emake DESTDIR="${D}" -C man install
+
+	find "${ED}" -name '*.la' -type f -delete || die
 
 	# Remove files from /etc, they will be symlinks to /usr instead.
 	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
@@ -218,9 +223,13 @@ src_install() {
 	fi
 
 	# Remove manpages that are handled by other packages
-	find "${ED}"/usr/share/man \
-		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
-		-delete
+	find "${ED}"/usr/share/man -type f \
+		'(' -name id.1 -o -name getspnam.3 ')' \
+		-delete || die
+
+	if ! use su ; then
+		find "${ED}"/usr/share/man -type f -name su.1 -delete || die
+	fi
 
 	cd "${S}" || die
 	dodoc ChangeLog NEWS TODO