diff --git a/docker-ansible-lint/Dockerfile b/docker-ansible-lint/Dockerfile
index 5d60549..1db9744 100644
--- a/docker-ansible-lint/Dockerfile
+++ b/docker-ansible-lint/Dockerfile
@@ -2,6 +2,6 @@ FROM python:3.9-alpine
 LABEL description="Aurore's docker image for ansible-lint"
 
 RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
-RUN pip install "yamllint>=1.26.0,<2.0"
-RUN pip install "ansible-lint==5.0.0"
-RUN pip install "ansible>=2.10,<2.11"
+RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
+RUN pip install --no-cache-dir "ansible-lint==5.0.0"
+RUN pip install --no-cache-dir "ansible>=2.10,<2.11"
diff --git a/sudo_upgrade.yml b/sudo_upgrade.yml
new file mode 100755
index 0000000..45b01ad
--- /dev/null
+++ b/sudo_upgrade.yml
@@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+# This is a special playbook to upgrade sudo everywhere after the
+# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
+# Please always use with --limit myserver.adm.auro.re
+# And list updates with --check
+- hosts: all
+  tasks:
+    - name: Upgrade sudo
+      apt:
+        name: sudo
+        state: latest
+        update_cache: true
+        cache_valid_time: 3600  # one hour
+      register: apt_result
+      retries: 3
+      until: apt_result is succeeded