diff --git a/openssh.spec b/openssh.spec
index e3fffe7..cb76c09 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -49,7 +49,7 @@
 %global openssh_ver 9.9p1
 %global openssh_rel 5
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 7
+%global pam_ssh_agent_rel 8
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -104,6 +104,8 @@ Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
 Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2070113
 Patch308: pam_ssh_agent_auth-0.10.4-rsasha2.patch
+# fix manual page claiming SSH_AUTH_SOCK not being required by newer sudo
+Patch309: pam_ssh_agent_auth-0.10.4-doc.patch
 
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
 Patch400: openssh-7.8p1-role-mls.patch
@@ -380,6 +382,7 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch305 -p2 -b .psaa-agent
 %patch307 -p2 -b .psaa-deref
 %patch308 -p2 -b .rsasha2
+%patch309 -p2 -b .psaa-doc
 # Remove duplicate headers and library files
 rm -f $(cat %{SOURCE5})
 popd
@@ -748,10 +751,12 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
-* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-5
+* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-5 + 0.10.4-8
 - CVE-2026-3497: Fix information disclosure or denial of service due
   to uninitialized variables in gssapi-keyex
   Resolves: RHEL-155825
+- Fix incorrect claim about SSH_AUTH_SOCK in pam_ssh_agent_auth manual page
+  Resolves: RHEL-122302
 
 * Wed Feb 25 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-4
 - Provide a way to skip unsupported ML-KEM hybrid algorithms in FIPS mode
diff --git a/pam_ssh_agent_auth-0.10.4-doc.patch b/pam_ssh_agent_auth-0.10.4-doc.patch
new file mode 100644
index 0000000..f6f0d05
--- /dev/null
+++ b/pam_ssh_agent_auth-0.10.4-doc.patch
@@ -0,0 +1,11 @@
+diff --color -ruNp a/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.pod b/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.pod
+--- a/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.pod	2019-07-08 18:36:13.000000000 +0200
++++ b/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.pod	2026-03-17 12:24:44.462364449 +0100
+@@ -18,7 +18,6 @@ This module provides authentication via
+ 
+ =item /etc/sudoers:
+  
+-In older versions of sudo (< 1.8.5) it was necessary to set:
+  Defaults    env_keep += "SSH_AUTH_SOCK"
+ 
+ =back