diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 4feb013..4093a06 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Sat Mar 16 21:39:31 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.98
+  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
+                  in TLS
+  * bmo#1879513 - Certificate Compression: enabling the check that
+                  the compression was advertised
+  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
+  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
+                  Global Root GC CA
+  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
+                  `shutil.which` within `mach` in `nss`
+  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
+                  support Certificate compression
+  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
+  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
+                  for constant-time execution tests
+  * bmo#1870673 - Set nssckbi version number to 2.66
+  * bmo#1874017 - Add Telekom Security roots
+  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
+  * bmo#1865450 - Remove expired Security Communication RootCA1 root
+  * bmo#1876179 - move keys to a slot that supports concatenation in
+                  PK11_ConcatSymKeys
+  * bmo#1876800 - remove unmaintained tls-interop tests
+  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
+                  flags
+  * bmo#1874937 - bogo: add support for the -curves shim flag and
+                  update Kyber expectations
+  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
+  * bmo#1757758 - mozpkix: add option to ignore invalid subject
+                  alternative names
+  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
+  * bmo#1876390 - take ownership of ecckilla shims
+  * bmo#1874458 - add valgrind annotations to freebl/ec.c
+  * bmo#864039  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
+  * bmo#1875965 - Update zlib to 1.3.1
+
+-------------------------------------------------------------------
+Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+  deactivated for now
+
 -------------------------------------------------------------------
 Fri Feb 23 11:55:45 UTC 2024 - pgajdos@suse.com
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 76024fd..bc0a0c9 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -2,7 +2,7 @@
 # spec file for package mozilla-nss
 #
 # Copyright (c) 2024 SUSE LLC
-# Copyright (c) 2006-2023 Wolfgang Rosenauer
+# Copyright (c) 2006-2024 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,15 @@
 #
 
 
-%global nss_softokn_fips_version 3.97
+%global nss_softokn_fips_version 3.98
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
+%global crypto_policies_version 20210118
 Name:           mozilla-nss
-Version:        3.97
+Version:        3.98
 Release:        0
-%define underscore_version 3_97
+%define underscore_version 3_98
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -95,6 +96,9 @@ BuildRequires:  jitterentropy-devel
 Requires(pre):  libjitterentropy3
 Requires:       libjitterentropy3
 %endif
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies >= %{crypto_policies_version}
+%endif
 Requires:       libfreebl3 >= %{nss_softokn_fips_version}
 Requires:       libsoftokn3 >= %{nss_softokn_fips_version}
 Requires:       mozilla-nspr >= %{NSPR_min_version}
@@ -277,6 +281,13 @@ export NSS_ENABLE_FIPS_INDICATORS=1
 export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\""
 #export SQLITE_LIB_NAME=nsssqlite3
 export MAKE_FLAGS="BUILD_OPT=1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+#export POLICY_FILE="nss.config"
+# location of the policy file
+#export POLICY_PATH="/etc/crypto-policies/back-ends"
+%endif
 EOF
 
 source ../obsenv.sh
@@ -298,6 +309,11 @@ export HOST="localhost"
 export DOMSUF="localdomain"
 export USE_IP=TRUE
 export IP_ADDRESS="127.0.0.1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+%endif
 EOF
 source ../obsenv.sh
 source ../obstestenv.sh
@@ -462,6 +478,11 @@ fi
 
 %postun sysinit -p /sbin/ldconfig
 
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%posttrans
+update-crypto-policies &> /dev/null || :
+%endif
+
 %files
 %{_libdir}/libnss3.so
 %{_libdir}/libnssutil3.so
diff --git a/nss-3.97.tar.gz b/nss-3.97.tar.gz
deleted file mode 100644
index e2ef9a3..0000000
--- a/nss-3.97.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:078efb8393f32e40b1fb4bf6930fff7f1aabed01287fcc5fe58aba736765fa0a
-size 76664827
diff --git a/nss-3.98.tar.gz b/nss-3.98.tar.gz
new file mode 100644
index 0000000..964b8aa
--- /dev/null
+++ b/nss-3.98.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce
+size 76685475