diff --git a/dist b/dist
index 37a6f9cba7a88cbcf8ab13c9187a23e686af9edd..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644
--- a/dist
+++ b/dist
@@ -1 +1 @@
-an8_9
+an8_10
diff --git a/sudo-1.9.17-CVE-2025-32462.patch b/sudo-1.9.17-CVE-2025-32462.patch
new file mode 100644
index 0000000000000000000000000000000000000000..42117c6c743a8a5aac0c9841b063b1ff0f035ee6
--- /dev/null
+++ b/sudo-1.9.17-CVE-2025-32462.patch
@@ -0,0 +1,22 @@
+diff -up ./plugins/sudoers/sudoers.c.cve-host ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.cve-host	2025-06-25 14:10:11.369219892 +0200
++++ ./plugins/sudoers/sudoers.c	2025-06-25 14:11:48.395137626 +0200
+@@ -393,6 +393,18 @@ sudoers_policy_main(int argc, char * con
+ 	}
+     }
+ 
++    /* The user may only specify a host for "sudo -l". */
++    if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) {
++       if (strcmp(user_runhost, user_host) != 0) {
++           log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
++               N_("user not allowed to set remote host for command"));
++           sudo_warnx("%s",
++               U_("a remote host may only be specified when listing privileges."));
++           ret = false;
++           goto done;
++       }
++    }
++
+     /* If given the -P option, set the "preserve_groups" flag. */
+     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
+ 	def_preserve_groups = true;
diff --git a/sudo.spec b/sudo.spec
index 210c7697510792689ad7ce35faafb8088e5d97fe..77c8c5d5a63d4c8a6a5d2ae54916d55b0a212095 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,8 +1,8 @@
-%define anolis_release .0.2
+%define anolis_release .0.1
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 1%{anolis_release}%{?dist}
+Release: 1%{anolis_release}%{?dist}.1
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@@ -53,8 +53,9 @@ Patch17: sudo-1.9.13-CVE-2023-28486-7-9.patch
 Patch18: linker.patch
 
 Patch19: sudo-1.9.15-CVE-2023-42465.patch
-Patch20: sudo-1.9.12p1-CVE-2022-43955.patch
-Patch27: sudo-1.8.29-sw.patch
+Patch20: sudo-1.9.17-CVE-2025-32462.patch
+Patch21: sudo-1.9.12p1-CVE-2022-43955.patch
+Patch22: sudo-1.8.29-sw.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -98,11 +99,11 @@ plugins that use %{name}.
 %patch -P 17 -p1 -b .cve-escape-9
 
 %patch -P 18 -p1 -b .linker
-
 %patch -P 19 -p1 -b .rowhammer
+%patch -P 20 -p1 -b .cve-host
 
-%patch -P 20 -p1 -b .CVE-2022-43955
-%patch27 -p1
+%patch -P 21 -p1 -b .CVE-2022-43955
+%patch22 -p1
 
 %build
 # Remove bundled copy of zlib
@@ -278,11 +279,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
-* Wed Mar 20 2024 wxiat <nijie@wxiat.com> - 1.9.5p2-1.0.2
+* Wed Jul 02 2025 guo chuang <guo.chuang@zte.com.cn> - 1.9.5p2-1.0.1.1
+- add patch for CVE-2022-43955
 - cherry-pick `add sw arch #67f107f94b2ae4b6376e750103f8f5fd1f3e6b31`.
 
-* Mon Mar 04 2024 guo chuang <guo.chuang@zte.com.cn> - 1.9.5p2-1.0.1
-- add patch for CVE-2022-43955
+* Wed Jun 25 2025 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-1.1
+RHEL 8.10.0.Z ERRATUM
+- CVE-2025-32462 sudo: LPE via host option
+Resolves: RHEL-100014
 
 * Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-1
 RHEL 8.9.0.Z ERRATUM