diff --git a/20150312-PATCH_BlueZ_shared_gatt-client_Fix_invalid_read-56974.patch b/20150312-PATCH_BlueZ_shared_gatt-client_Fix_invalid_read-56974.patch
new file mode 100644
index 0000000..53ed942
--- /dev/null
+++ b/20150312-PATCH_BlueZ_shared_gatt-client_Fix_invalid_read-56974.patch
@@ -0,0 +1,123 @@
+Betreff: [PATCH BlueZ] shared/gatt-client: Fix invalid read
+Von: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Datum: 12.03.2015 10:05
+An: linux-bluetooth@vger.kernel.org
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+This fixes the following trace caused by last changes which included
+prepare write support but broke cancel_request code:
+
+Invalid read of size 1
+   at 0x43E726: cancel_request (gatt-client.c:1854)
+   by 0x447E4F: queue_remove_all (queue.c:387)
+   by 0x43F19A: bt_gatt_client_cancel_all (gatt-client.c:1866)
+   by 0x43F250: bt_gatt_client_free (gatt-client.c:1569)
+   by 0x43F3D0: bt_gatt_client_unref (gatt-client.c:1692)
+   by 0x43380C: destroy_context (test-gatt.c:284)
+   by 0x43380C: context_quit (test-gatt.c:312)
+   by 0x433E77: test_read_cb (test-gatt.c:677)
+   by 0x43C260: read_cb (gatt-client.c:1924)
+   by 0x43948B: handle_rsp (att.c:640)
+   by 0x43948B: can_read_data (att.c:813)
+   by 0x446DAA: watch_callback (io-glib.c:170)
+   by 0x4E7E7FA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
+   by 0x4E7EB97: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
+ Address 0x57f0908 is 8 bytes inside a block of size 40 free'd
+   at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+   by 0x43E06F: request_unref (gatt-client.c:160)
+   by 0x4389C6: cancel_att_send_op (att.c:222)
+   by 0x4389C6: bt_att_cancel (att.c:1194)
+   by 0x43E71D: cancel_request (gatt-client.c:1852)
+   by 0x447E4F: queue_remove_all (queue.c:387)
+   by 0x43F19A: bt_gatt_client_cancel_all (gatt-client.c:1866)
+   by 0x43F250: bt_gatt_client_free (gatt-client.c:1569)
+   by 0x43F3D0: bt_gatt_client_unref (gatt-client.c:1692)
+   by 0x43380C: destroy_context (test-gatt.c:284)
+   by 0x43380C: context_quit (test-gatt.c:312)
+   by 0x433E77: test_read_cb (test-gatt.c:677)
+   by 0x43C260: read_cb (gatt-client.c:1924)
+   by 0x43948B: handle_rsp (att.c:640)
+   by 0x43948B: can_read_data (att.c:813)
+---
+ src/shared/gatt-client.c | 44 ++++++++++++++++----------------------------
+ 1 file changed, 16 insertions(+), 28 deletions(-)
+
+diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
+index 5ee753e..1e7032c 100644
+--- a/src/shared/gatt-client.c
++++ b/src/shared/gatt-client.c
+@@ -1815,47 +1815,34 @@ static bool cancel_prep_write_session(struct bt_gatt_client *client,
+ 							req, request_unref);
+ }
+ 
+-bool bt_gatt_client_cancel(struct bt_gatt_client *client, unsigned int id)
++static bool cancel_request(void *data)
+ {
+-	struct request *req;
+-
+-	if (!client || !id || !client->att)
+-		return false;
+-
+-	req = queue_remove_if(client->pending_requests, match_req_id,
+-							UINT_TO_PTR(id));
+-	if (!req)
+-		return false;
++	struct request *req = data;
+ 
+ 	req->removed = true;
+ 
+-	if (!bt_att_cancel(client->att, req->att_id) && !req->long_write &&
+-							!req->prep_write)
+-		return false;
+-
+-	/* If this was a long-write, we need to abort all prepared writes */
+ 	if (req->long_write)
+-		return cancel_long_write_req(client, req);
++		return cancel_long_write_req(req->client, req);
+ 
+ 	if (req->prep_write)
+-		return cancel_prep_write_session(client, req);
++		return cancel_prep_write_session(req->client, req);
+ 
+-	return true;
++	return bt_att_cancel(req->client->att, req->att_id);
+ }
+ 
+-static void cancel_request(void *data)
++bool bt_gatt_client_cancel(struct bt_gatt_client *client, unsigned int id)
+ {
+-	struct request *req = data;
+-
+-	req->removed = true;
++	struct request *req;
+ 
+-	bt_att_cancel(req->client->att, req->att_id);
++	if (!client || !id || !client->att)
++		return false;
+ 
+-	if (req->long_write)
+-		cancel_long_write_req(req->client, req);
++	req = queue_remove_if(client->pending_requests, match_req_id,
++							UINT_TO_PTR(id));
++	if (!req)
++		return false;
+ 
+-	if (req->prep_write)
+-		cancel_prep_write_session(req->client, req);
++	return cancel_request(req);
+ }
+ 
+ bool bt_gatt_client_cancel_all(struct bt_gatt_client *client)
+@@ -1863,7 +1850,8 @@ bool bt_gatt_client_cancel_all(struct bt_gatt_client *client)
+ 	if (!client || !client->att)
+ 		return false;
+ 
+-	queue_remove_all(client->pending_requests, NULL, NULL, cancel_request);
++	queue_remove_all(client->pending_requests, NULL, NULL,
++					(queue_destroy_func_t) cancel_request);
+ 
+ 	if (client->discovery_req) {
+ 		bt_gatt_request_cancel(client->discovery_req);
+-- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
+
diff --git a/bluez-5.28.tar.xz b/bluez-5.28.tar.xz
deleted file mode 100644
index 354123a..0000000
--- a/bluez-5.28.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:85bab48f4b47a158739028682c1e09cf30099c8ea9dfe63360055f8e06fc18a9
-size 1553592
diff --git a/bluez-5.29.tar.xz b/bluez-5.29.tar.xz
new file mode 100644
index 0000000..829e4a7
--- /dev/null
+++ b/bluez-5.29.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df216a6d5ec6133355e5d4ed6b5e7a188a940940d337374e166758513246f0e4
+size 1573632
diff --git a/bluez.changes b/bluez.changes
index 65fd107..777db57 100644
--- a/bluez.changes
+++ b/bluez.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Mar 12 12:03:30 UTC 2015 - seife+obs@b1-systems.com
+
+- update to version 5.29
+  This is a comparatively large release with over a month and 475
+  commits since 5.28. There have been lots of fixes to the Android
+  side. Our internal GATT library (used both by ‘normal’ BlueZ as
+  well as the Android version) received lots of updates for this
+  release. Other notable changes are a fix for AVCTP key repeat
+  timeout as well as added support for the Multi Profile
+  Specification (MPS).
+- add patch from bluez-devel for fixing test case failure (will be
+  included in next bluez release)
+
 -------------------------------------------------------------------
 Tue Feb  3 10:45:20 UTC 2015 - seife+obs@b1-systems.com
 
diff --git a/bluez.spec b/bluez.spec
index 12dcdbc..2c5342e 100644
--- a/bluez.spec
+++ b/bluez.spec
@@ -24,7 +24,7 @@ BuildRequires:  libcap-ng-devel
 BuildRequires:  systemd-devel
 BuildRequires:  pkgconfig(dbus-1) >= 1.4
 %{?systemd_requires}
-Version:        5.28
+Version:        5.29
 Release:        0
 Summary:        Bluetooth Stack for Linux
 License:        GPL-2.0+
@@ -36,6 +36,8 @@ Source7:        bluetooth.modprobe
 # fix some logitech HID devices, bnc#681049, bnc#850478 --seife+obs@b1-systems.com
 Patch1:         bluez-5.11-logitech-hid2hci.patch
 Patch2:         bluez-sdp-unix-path.patch
+# temporary fix untils bluez-5.30 comes along
+Patch100:       20150312-PATCH_BlueZ_shared_gatt-client_Fix_invalid_read-56974.patch
 BuildRequires:  alsa-devel
 BuildRequires:  automake
 BuildRequires:  check-devel
@@ -111,6 +113,7 @@ BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch100 -p1
 mkdir dbus-apis
 cp -a doc/*.txt dbus-apis/
 # FIXME: Change the dbus service to be a real service, not systemd launched