diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
index 5a30d2da6a..5588247e26 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
@@ -1 +1 @@
-DIST sudo-1.8.25p1.tar.gz 3189951 BLAKE2B ebfedaad62e60f625db8c46a5c8f19977a5ec0a86bab3b34d91096c08e8b8ece056ba312f9fecd4cdd704fc17d49a36681b41cd40269df7c67cd66d80c0d8efb SHA512 b1445be688d3c1dd7efbdfab68977a7a9b6fd6887191dc99ca717117eec0a550492642556cd55ca5873d054ddc5ccc2b87b2c34602e1ffc729ab6fbc4e523a72
+DIST sudo-1.8.28.tar.gz 3309744 BLAKE2B 191a1f4239bdd2c1889b2a9c372a6fc949975e54cb510d25602798ee2e6e7b253a18fef290bc324acd4abb3049bcab909fdaa512bb24c400a95cc0901b50ab37 SHA512 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
index 66a78473b2..72faa0680c 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
@@ -12,11 +12,16 @@
 		arguments.
 	</longdescription>
 	<use>
-		<flag name="gcrypt">Use SHA2 from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's internal SHA2</flag>
+		<flag name="gcrypt">Use message digest functions from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's</flag>
+		<flag name="libressl">Use message digest functions from <pkg>dev-libs/libressl</pkg> instead of sudo's</flag>
 		<flag name="offensive">Let sudo print insults when the user types the wrong password</flag>
-		<flag name="openssl">Use SHA2 from <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2</flag>
 		<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
 		<flag name="sssd">Add System Security Services Daemon support</flag>
+		<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
+		<flag name="system-digest">
+			Use message digest functions from <pkg>dev-libs/libgcrypt</pkg>, <pkg>dev-libs/libressl</pkg>
+			or <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2 implementation
+		</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.25_p1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.25_p1-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild
index 425bbb2659..023e5a069d 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.25_p1-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild
@@ -1,29 +1,28 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI=7
 
-inherit eutils pam multilib libtool tmpfiles
-if [[ ${PV} == "9999" ]] ; then
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-	inherit mercurial
-fi
+inherit pam multilib libtool tmpfiles
 
-MY_P=${P/_/}
-MY_P=${MY_P/beta/b}
-
-uri_prefix=
-case ${P} in
-	*_beta*|*_rc*) uri_prefix=beta/ ;;
-esac
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
 
 DESCRIPTION="Allows users or groups to run commands as other users"
 HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} != "9999" ]] ; then
+if [[ ${PV} == "9999" ]] ; then
+	inherit mercurial
+	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+	uri_prefix=
+	case ${P} in
+		*_beta*|*_rc*) uri_prefix=beta/ ;;
+	esac
+
 	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
 		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
 	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris"
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-solaris"
 	fi
 fi
 
@@ -31,31 +30,36 @@ fi
 # 3-clause BSD license
 LICENSE="ISC BSD"
 SLOT="0"
-IUSE="gcrypt ldap nls offensive openssl pam sasl selinux +sendmail skey sssd"
+IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
 
-CDEPEND="
+DEPEND="
 	sys-libs/zlib:=
-	gcrypt? ( dev-libs/libgcrypt:= )
 	ldap? (
 		>=net-nds/openldap-2.1.30-r1
 		dev-libs/cyrus-sasl
 	)
-	openssl? ( dev-libs/openssl:0= )
-	pam? ( virtual/pam )
+	pam? ( sys-libs/pam )
 	sasl? ( dev-libs/cyrus-sasl )
 	skey? ( >=sys-auth/skey-1.1.5-r1 )
 	sssd? ( sys-auth/sssd[sudo] )
+	system-digest? (
+		gcrypt? ( dev-libs/libgcrypt:= )
+		!gcrypt? (
+			!libressl? ( dev-libs/openssl:0= )
+			libressl? ( dev-libs/libressl:0= )
+		)
+	)
 "
 RDEPEND="
-	${CDEPEND}
+	${DEPEND}
 	>=app-misc/editor-wrapper-3
 	virtual/editor
+	ldap? ( dev-lang/perl )
 	pam? ( sys-auth/pambase )
 	selinux? ( sec-policy/selinux-sudo )
 	sendmail? ( virtual/mta )
 "
-DEPEND="
-	${CDEPEND}
+BDEPEND="
 	sys-devel/bison
 "
 
@@ -64,7 +68,6 @@ S="${WORKDIR}/${MY_P}"
 REQUIRED_USE="
 	pam? ( !skey )
 	skey? ( !pam )
-	?? ( gcrypt openssl )
 "
 
 MAKEOPTS+=" SAMPLES="
@@ -98,7 +101,7 @@ set_secure_path() {
 		local newpath thisp IFS=:
 		for thisp in $1 ; do
 			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:$thisp
+				newpath+=:${thisp}
 			else
 				einfo "   Duplicate entry ${thisp} removed..."
 			fi
@@ -111,8 +114,8 @@ set_secure_path() {
 	rmpath() {
 		local e newpath thisp IFS=:
 		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ $thisp == $e ]] && continue 2 ; done
-			newpath+=:$thisp
+			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
+			newpath+=:${thisp}
 		done
 		SECURE_PATH=${newpath#:}
 	}
@@ -137,13 +140,13 @@ src_configure() {
 		--with-env-editor
 		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
 		--with-rundir="${EPREFIX}"/run/sudo
+		$(use_with secure-path secure-path ${SECURE_PATH})
 		--with-secure-path="${SECURE_PATH}"
 		--with-vardir="${EPREFIX}"/var/db/sudo
 		--without-linux-audit
 		--without-opie
 		$(use_enable gcrypt)
 		$(use_enable nls)
-		$(use_enable openssl)
 		$(use_enable sasl)
 		$(use_with offensive insults)
 		$(use_with offensive all-insults)
@@ -155,6 +158,13 @@ src_configure() {
 		$(use_with selinux)
 		$(use_with sendmail)
 	)
+
+	if use system-digest && ! use gcrypt; then
+		myeconfargs+=("--enable-openssl")
+	else
+		myeconfargs+=("--disable-openssl")
+	fi
+
 	econf "${myeconfargs[@]}"
 }
 
@@ -176,6 +186,9 @@ src_install() {
 		insinto /etc
 		doins "${T}"/ldap.conf.sudo
 		fperms 0440 /etc/ldap.conf.sudo
+
+		insinto /etc/openldap/schema
+		newins doc/schema.OpenLDAP sudo.schema
 	fi
 
 	pamd_mimic system-auth sudo auth account session
@@ -186,7 +199,7 @@ src_install() {
 
 	# Don't install into /run as that is a tmpfs most of the time
 	# (bug #504854)
-	rm -rf "${ED%/}"/run
+	rm -rf "${ED}"/run
 }
 
 pkg_postinst() {