diff --git a/gnutls-3.5.11.tar.xz b/gnutls-3.5.11.tar.xz
deleted file mode 100644
index ab4dac3..0000000
--- a/gnutls-3.5.11.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:51765cc5579e250da77fbd7871507c517d01b15353cc40af7b67e9ec7b6fe28f
-size 7208068
diff --git a/gnutls-3.5.11.tar.xz.sig b/gnutls-3.5.11.tar.xz.sig
deleted file mode 100644
index dd96dcf..0000000
Binary files a/gnutls-3.5.11.tar.xz.sig and /dev/null differ
diff --git a/gnutls-3.5.13.tar.xz b/gnutls-3.5.13.tar.xz
new file mode 100644
index 0000000..3d86ff5
--- /dev/null
+++ b/gnutls-3.5.13.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79f5480ad198dad5bc78e075f4a40c4a315a1b2072666919d2d05a08aec13096
+size 7226468
diff --git a/gnutls-3.5.13.tar.xz.sig b/gnutls-3.5.13.tar.xz.sig
new file mode 100644
index 0000000..c7812af
Binary files /dev/null and b/gnutls-3.5.13.tar.xz.sig differ
diff --git a/gnutls-broken-openpgp-tests.patch b/gnutls-broken-openpgp-tests.patch
index 8d7325b..7b2a7ef 100644
--- a/gnutls-broken-openpgp-tests.patch
+++ b/gnutls-broken-openpgp-tests.patch
@@ -1,7 +1,7 @@
-Index: gnutls-3.5.11/tests/Makefile.am
+Index: gnutls-3.5.13/tests/Makefile.am
 ===================================================================
---- gnutls-3.5.11.orig/tests/Makefile.am
-+++ gnutls-3.5.11/tests/Makefile.am
+--- gnutls-3.5.13.orig/tests/Makefile.am	2017-06-07 07:17:11.000000000 +0200
++++ gnutls-3.5.13/tests/Makefile.am	2017-06-08 16:53:59.125158222 +0200
 @@ -19,7 +19,7 @@
  # along with this file; if not, write to the Free Software Foundation,
  # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
@@ -18,7 +18,7 @@ Index: gnutls-3.5.11/tests/Makefile.am
 -	 mini-dtls-record-asym openpgp-callback key-import-export \
 +	 mini-dtls-record-asym key-import-export \
  	 mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \
- 	 strict-der tls-ext-register tls-supplemental mini-dtls0-9 \
+ 	 tls-ext-register tls-supplemental mini-dtls0-9 \
  	 mini-record-retvals mini-server-name tls-etm x509-cert-callback \
 @@ -236,6 +236,7 @@ endif
  endif
diff --git a/gnutls.changes b/gnutls.changes
index 8a074f6..ee2c357 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Thu Jun  8 22:51:06 UTC 2017 - astieger@suse.com
+
+- GnuTLS 3.5.13:
+  * libgnutls: fixed issue with AES-GCM in-place encryption and
+    decryption in aarch64
+  * libgnutls: no longer parse the ResponseID field of the status
+    response TLS extension. The field is not used by GnuTLS nor is
+    made available to calling applications. That addresses a null
+    pointer dereference on server side caused by packets containing
+    the ResponseID field. GNUTLS-SA-2017-4, bsc#1043398
+  * libgnutls: tolerate certificates which do not have strict DER
+    time encoding. It is possible using 3rd party tools to generate
+    certificates with time fields that do not conform to DER
+    requirements. Since 3.4.x these certificates were rejected and
+    cannot be used with GnuTLS, however that caused problems with
+    existing private certificate infrastructures, which were
+    relying on such certificates. Tolerate reading and using these
+    certificates.
+  * minitasn1: updated to libtasn1 4.11.
+  * certtool: allow multiple certificates to be used in --p7-sign
+    with the --load-certificate option
+
+-------------------------------------------------------------------
+Sun Jun  4 19:52:56 UTC 2017 - astieger@suse.com
+
+- GnuTLS 3.5.12:
+  * libgnutls: gnutls_x509_crt_check_hostname2() no longer matches
+    IP addresses against DNS fields of certificate (CN or DNSname).
+    The previous behavior was to tolerate some misconfigured
+    servers, but that was non-standard and skipped any IP
+    constraints present in higher level certificates.
+  * libgnutls: when converting to IDNA2008, fallback to IDNA2003
+    (i.e., transitional encoding) if the domain cannot be converted.
+    That provides maximum compatibility with browsers like firefox
+    that perform the same conversion.
+  * libgnutls: fix issue in RSA-PSK client callback which resulted
+    in no username being sent to the peer
+  * libgnutls: fix regression causing stapled extensions in trust
+    modules not to be considered.
+  * certtool: introduced the email_protection_key option.  This
+    option was introduced in documentation for certtool without an
+    implementation of it. It is a shortcut for option
+   'key_purpose_oid = 1.3.6.1.5.5.7.3.4'.
+  * certtool: made printing of key ID and key PIN consistent
+    between certificates, public keys, and private keys. That is
+    the private key printing now uses the same format as the rest.
+  * gnutls-cli: introduced the --sni-hostname option. This allows
+    overriding the hostname advertised to the peer.
+
 -------------------------------------------------------------------
 Thu May 18 08:44:18 UTC 2017 - astieger@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index e77fc88..ae20221 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -29,7 +29,7 @@
 %define gnutls_dane_sover 0
 %endif
 Name:           gnutls
-Version:        3.5.11
+Version:        3.5.13
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+