I'm using sudo on Ubuntu Release 14.04 ...

According to the Sudoers(5) manual in section called "Command Environment" that discusses env_reset, env_check, env_delete and env_keep, it states:

By default, environment variables are matched by name. However, if the pattern includes an equal sign (‘=’), both the variables name and value must match.

In my sudoers file I have the following:
Defaults env_reset
Cmnd_Alias PGM=/my/pgm
Defaults!PGM env_file=/my/myenv

/my/myenv contains only one env var: "MYPATH=/db1"
PGM alias "/my/pgm" just spits out all the set program variables.
When I run:
sudo /usr/pgm | grep MYPATH  -- I get: "MYPATH=/db1"

If I add this line to sudoers:
Defaults!PGM env_keep += "MYPATH=/XX1"
Running "sudo /usr/pgm | grep MYPATH" shoud NOT produce "MYPATH=/db1" because, according to Sudoers(5) the "variable=value" in env_keep does not match exactly the env. var. for MYPATH that is set for sudo by the env_file.

I think this is a bug because the actions contradict the manual.  However, even if it is not deemed a bug for some reason, It should be fixed as an enhancement.  Reason:
MYPATH is a specialized search path that finds specific kinds of executable objects (much like PATH).  For security reasons, if I want to make sure no one has spoofed MYPATH and redirected my executable search to their nefarious binary by changing MYPATH's value, I need sudo to filter it through the env_keep list comparing my "variable=value" literal to the env_keep filter and leaving MYPATH out of the env variables for sudo if there is no match.
This is not being done.