diff --git a/sudo_upgrade.yml b/sudo_upgrade.yml
new file mode 100755
index 0000000..45b01ad
--- /dev/null
+++ b/sudo_upgrade.yml
@@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+# This is a special playbook to upgrade sudo everywhere after the
+# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
+# Please always use with --limit myserver.adm.auro.re
+# And list updates with --check
+- hosts: all
+  tasks:
+    - name: Upgrade sudo
+      apt:
+        name: sudo
+        state: latest
+        update_cache: true
+        cache_valid_time: 3600  # one hour
+      register: apt_result
+      retries: 3
+      until: apt_result is succeeded