diff --git a/gnutls-3.4.1.tar.xz b/gnutls-3.4.1.tar.xz
deleted file mode 100644
index cbe1c30..0000000
--- a/gnutls-3.4.1.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e9b5f58becf34756464216056cd5abbf04315eda80a374d02699dee83f80b12e
-size 6469756
diff --git a/gnutls-3.4.1.tar.xz.sig b/gnutls-3.4.1.tar.xz.sig
deleted file mode 100644
index a744a7c..0000000
Binary files a/gnutls-3.4.1.tar.xz.sig and /dev/null differ
diff --git a/gnutls-3.4.4.tar.xz b/gnutls-3.4.4.tar.xz
new file mode 100644
index 0000000..b7a69f3
--- /dev/null
+++ b/gnutls-3.4.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:06dacb1352792b9f05200eff33c9a9093ba3c706f4f88cb29ecbfb784b24b34a
+size 6567656
diff --git a/gnutls-3.4.4.tar.xz.sig b/gnutls-3.4.4.tar.xz.sig
new file mode 100644
index 0000000..5a69487
Binary files /dev/null and b/gnutls-3.4.4.tar.xz.sig differ
diff --git a/gnutls.changes b/gnutls.changes
index 13c7b36..8f999d1 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Aug 18 22:40:28 UTC 2015 - astieger@suse.com
+
+- Update to 3.4.4
+  This update contains a fix for a denial of service vulnerability:
+  * Allow the parsing of very long DNs. Also fixes double free
+    in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251
+  Other changes:
+  * Add high level API (gnutls_prf_rfc5705) to access the PRF as
+    specified by RFC5705.
+  * Link to trousers (TPM library) dynamically when this
+    functionality is requested. (disabled in SUSE package)
+  * Fix issue with server side sending the status request extension
+    even when not requested.
+  * Add support for RFC7507 by introducing the %FALLBACK_SCSV
+    priority string option.
+  * gnutls_pkcs11_privkey_generate2() will store the generated
+    public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
+    flag is specified.
+  * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback.
+  * API and ABI modifications:
+    gnutls_prf_rfc5705: Added
+    gnutls_hex_encode2: Added
+    gnutls_hex_decode2: Added
+- build with autogen for libopts compatibility
+- fix failures in test suite, add upstream commits
+  0001-certtool-lifted-limits-on-file-size-to-load.patch
+  0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch
+
+-------------------------------------------------------------------
+Thu Jul 30 15:39:34 UTC 2015 - vcizek@suse.com
+
+- update to 3.4.3
+  ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
+     dates prior to 2050.
+  ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it
+     was done only when cryptodev was enabled).
+  ** libgnutls: Removed support for pthread_atfork() as it has undefined
+     semantics when used with dlopen(), and may lead to a crash.
+  ** libgnutls: corrected failure when importing plain files 
+     with gnutls_x509_privkey_import2(), and a password was provided.
+  ** libgnutls: Don't reject certificates if a CA has the URI or IP address
+     name constraints, and the end certificate doesn't have an IP address 
+     name or a URI set.
+  ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.
+  ** p11tool: Added --list-token-urls option, and print the token module name
+     in list-tokens.
+  ** libgnutls: DTLS blocking API is more robust against infinite blocking,
+     and will notify of more possible timeouts.
+  ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
+     by Manuel Pegourie-Gonnard.
+  ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+     allows to disable SIGPIPE for writes done within gnutls.
+  ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
+     of structures. API moved to gnutls/pkcs7.h header.
+  ** certtool: Added options to generate PKCS #7 bundles and signed
+     structures.
+- includes changes from 3.4.2:
+  * DTLS blocking API is more robust against infinite blocking,
+    and will notify of more possible timeouts.
+  * Correct regression with Camellia-256-GCM cipher.
+  * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+    allows to disable SIGPIPE for writes done within gnutls.
+  * Enhance the PKCS #7 API to allow signing and verification
+    of structures. Move API to gnutls/pkcs7.h header.
+  * certtool: Added options to generate PKCS #7 bundles and signed
+    structures.
+
 -------------------------------------------------------------------
 Tue May  5 19:06:29 UTC 2015 - dmueller@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index 8716029..e21822f 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -29,7 +29,7 @@
 %bcond_with tpm
 
 Name:           gnutls
-Version:        3.4.1
+Version:        3.4.4
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
@@ -41,6 +41,7 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.x
 Source2:        %name.keyring
 Source3:        baselibs.conf
 
+BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libidn-devel
@@ -58,7 +59,8 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 # disabled armv7l - valgrind appears to mishandle some insns
 # disabled aarch64 - valgrind mishandles exclusive load/store causing deadlocks
 %ifarch %ix86 x86_64 ppc64 s390x ppc64le
-BuildRequires:  valgrind
+# disabled all, valgrind breaks tests in 3.4.4
+#BuildRequires:  valgrind
 %endif
 %if %suse_version >= 1230
 BuildRequires:  makeinfo
@@ -295,6 +297,7 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_includedir}/%{name}/gnutls.h
 %{_includedir}/%{name}/openpgp.h
 %{_includedir}/%{name}/ocsp.h
+%{_includedir}/%{name}/pkcs7.h
 %{_includedir}/%{name}/pkcs11.h
 %{_includedir}/%{name}/pkcs12.h
 %{_includedir}/%{name}/self-test.h