diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
index beb3713960..93ce11858b 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
@@ -1,2 +1,2 @@
-DIST sudo-1.9.10.tar.gz 4516568 BLAKE2B 94d97379e31b41917616a829cbece3d3fce7dd6ab9d04791b928981c14249c306508298655c19dc59a054ccf7deed4e69e65367cbfe9f6d8b5aba8895cfa6064 SHA512 65cf92b67b64413cb807da8b9602fc90b75e5b30dd1402d682ca36f276a3d6209a8a59c14e463898abc9856bc56263e5ba4bb6d44774f56a2885a9eea4a35375
-DIST sudo-1.9.10.tar.gz.sig 566 BLAKE2B 808919c826faa4f63efc283461f9f2089fd745aaf7462bcc41c505e7f978e7d56307202f96548d95844c99236fec10cada8438b935a1e1b6ea3601ee857d6900 SHA512 4ea0b736783b8e7be47645f770d7684d99c31f901177d3527f1ff78f5126d41592a94d36c67762bf5cb941eed80b9f585637aaa81d7f4920576d31a83f447323
+DIST sudo-1.9.12p1.tar.gz 4908060 BLAKE2B 976d00fb16b0d26b2714a188e379ccba102e0fa67b8ec6278e5435728af0cc9ba23d63db64a87d4e14d59cd52d3f62401943eb7c0f9c33317179ff764a9f950c SHA512 6f564112aa1e0e9cd223adb280bd430d513109c031e52deca308501234dedc0d7418f13cbb9b4249ac58d997cfdae1908c280c26733acbc55dbf9db45dff239a
+DIST sudo-1.9.12p1.tar.gz.sig 566 BLAKE2B 09f51a9f8eddaafc83bc5faac84ef0c0c37148beec025c777c1a19fd6ca88ecf354390f3557c31c74d13944093eb0ad921a2b7bdff04415f901fee549617e5f8 SHA512 6ec0596ad69fd6afc95d15a6e0ff871449e4534a651311371a4a604c258a34af6b41202cd2c636213d3128a811c5824338454cad764e1c05413ef02b551b7ae2
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
index 045c53c4fa..7660289e00 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
@@ -20,5 +20,6 @@
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
+		<remote-id type="github">sudo-project/sudo</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.10-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.12_p1.ebuild
similarity index 76%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.10-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.12_p1.ebuild
index 85fe28fb89..a54b4252c1 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.10-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.12_p1.ebuild
@@ -1,7 +1,7 @@
 # Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 inherit pam libtool tmpfiles toolchain-funcs
 
@@ -10,30 +10,37 @@ MY_P="${MY_P/beta/b}"
 
 DESCRIPTION="Allows users or groups to run commands as other users"
 HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
+
+if [[ ${PV} == 9999 ]] ; then
 	inherit mercurial
 	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
 else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
 	inherit verify-sig
-	VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/sudo.ws.asc
-	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
 
 	uri_prefix=
 	case ${P} in
 		*_beta*|*_rc*) uri_prefix=beta/ ;;
 	esac
 
-	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+	SRC_URI="
+		https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
 		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
 		verify-sig? (
 			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
 			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
-		)"
-	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~sparc-solaris"
+		)
+	"
+
+	if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+		KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc ~x86 ~sparc-solaris"
 	fi
+
+	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
 fi
 
+S="${WORKDIR}/${MY_P}"
+
 # Basic license is ISC-style as-is, some files are released under
 # 3-clause BSD license
 LICENSE="ISC BSD"
@@ -53,6 +60,7 @@ DEPEND="
 	)
 	pam? ( sys-libs/pam )
 	sasl? ( dev-libs/cyrus-sasl )
+	selinux? ( sys-libs/libselinux )
 	skey? ( >=sys-auth/skey-1.1.5-r1 )
 	ssl? ( dev-libs/openssl:0= )
 	sssd? ( sys-auth/sssd[sudo] )
@@ -72,8 +80,6 @@ BDEPEND+="
 	virtual/pkgconfig
 "
 
-S="${WORKDIR}/${MY_P}"
-
 REQUIRED_USE="
 	?? ( pam skey )
 	?? ( gcrypt ssl )
@@ -83,24 +89,27 @@ MAKEOPTS+=" SAMPLES="
 
 src_prepare() {
 	default
+
 	elibtoolize
 }
 
 set_secure_path() {
-	# first extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
-		echo "${ROOTPATH}")
-		case "${SECURE_PATH}" in
-			*/usr/sbin*) ;;
-			*) SECURE_PATH=$(unset PATH;
-				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-				;;
-		esac
+	# First extract the default ROOTPATH from build env
+	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+	case "${SECURE_PATH}" in
+		*/usr/sbin*)
+			;;
+		*)
+			SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+			;;
+	esac
+
 	if [[ -z ${SECURE_PATH} ]] ; then
 		ewarn "	Failed to detect SECURE_PATH, please report this"
 	fi
 
-	# then remove duplicate path entries
+	# Then remove duplicate path entries
 	cleanpath() {
 		local newpath thisp IFS=:
 		for thisp in $1 ; do
@@ -114,11 +123,13 @@ set_secure_path() {
 	}
 	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
 
-	# finally, strip gcc paths #136027
+	# Finally, strip gcc paths, bug #136027
 	rmpath() {
 		local e newpath thisp IFS=:
 		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
+			for e ; do
+				[[ ${thisp} == ${e} ]] && continue 2 ;
+			done
 			newpath+=:${thisp}
 		done
 		SECURE_PATH=${newpath#:}
@@ -128,15 +139,25 @@ set_secure_path() {
 
 src_configure() {
 	local SECURE_PATH
-	set_secure_path
-	tc-export PKG_CONFIG #767712
 
-	# audit: somebody got to explain me how I can test this before I
+	set_secure_path
+
+	# bug #767712
+	tc-export PKG_CONFIG
+
+	# - audit: somebody got to explain me how I can test this before I
 	# enable it.. - Diego
-	# plugindir: autoconf code is crappy and does not delay evaluation
+	# - plugindir: autoconf code is crappy and does not delay evaluation
 	# until `make` time, so we have to use a full path here rather than
 	# basing off other values.
-	myeconfargs=(
+	local myeconfargs=(
+		# We set all of the relevant options by ourselves (patched
+		# into the toolchain) and setting these in the build system
+		# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+		# (it'll downgrade to =2). So, this has no functional effect on
+		# the hardening for users. It's safe.
+		--disable-hardening
+
 		# requires some python eclass
 		--disable-python
 		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
@@ -199,20 +220,22 @@ src_install() {
 
 	fi
 
-	if use pam; then
+	if use pam ; then
 		pamd_mimic system-auth sudo auth account session
 		pamd_mimic system-auth sudo-i auth account session
 	fi
 
 	keepdir /var/db/sudo/lectured
 	fperms 0700 /var/db/sudo/lectured
-	fperms 0711 /var/db/sudo #652958
+	# bug #652958
+	fperms 0711 /var/db/sudo
 
 	# Don't install into /run as that is a tmpfs most of the time
 	# (bug #504854)
 	rm -rf "${ED}"/run || die
 
-	find "${ED}" -type f -name "*.la" -delete || die #697812
+	# bug #697812
+	find "${ED}" -type f -name "*.la" -delete || die
 
 	# Flatcar: Remove sudo.conf as it is shipped via baselayout
 	rm "${ED}/etc/sudo.conf" || die
@@ -222,7 +245,7 @@ src_install() {
 pkg_postinst() {
 	tmpfiles_process sudo.conf
 
-	#652958
+	# bug #652958
 	local sudo_db="${EROOT}/var/db/sudo"
 	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
 		chmod 711 "${sudo_db}" || die
@@ -230,20 +253,20 @@ pkg_postinst() {
 
 	if use ldap ; then
 		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
+		ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
 		ewarn
 		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
 			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
+			ewarn "configured in ${ROOT}/etc/nsswitch.conf."
 			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
+			ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
 			ewarn "  sudoers: ldap files"
 			ewarn
 		fi
 	fi
 	if use prefix ; then
 		ewarn
-		ewarn "To use sudo, you need to change file ownership and permissions"
+		ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
 		ewarn "with root privileges, as follows:"
 		ewarn
 		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-12-02-sudo-1.9.12_p1.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-12-02-sudo-1.9.12_p1.md
new file mode 100644
index 0000000000..0c0dc1403f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-12-02-sudo-1.9.12_p1.md
@@ -0,0 +1 @@
+- sudo ([CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-02-sudo-1.9.12_p1.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-02-sudo-1.9.12_p1.md
new file mode 100644
index 0000000000..5cd76671f8
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-02-sudo-1.9.12_p1.md
@@ -0,0 +1 @@
+- sudo ([1.9.12_p1](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1))