diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 523163a..ea28e50 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Fri Mar 21 21:16:31 UTC 2014 - wr@rosenauer.org
+
+- update to 3.16
+  * required for Firefox 29
+  * bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
+    character should not be embedded within the U-label of an
+    internationalized domain name. See the last bullet point in RFC 6125,
+    Section 7.2.
+  * Supports the Linux x32 ABI. To build for the Linux x32 target, set
+    the environment variable USE_X32=1 when building NSS.
+  New Functions:
+  * NSS_CMSSignerInfo_Verify
+  New Macros
+  * TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
+    cipher suites that were first defined in SSL 3.0 can now be referred
+    to with their official IANA names in TLS, with the TLS_ prefix.
+    Previously, they had to be referred to with their names in SSL 3.0,
+    with the SSL_ prefix.
+  Notable Changes:
+  * ECC is enabled by default. It is no longer necessary to set the
+    environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
+    ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
+  * libpkix should not include the common name of CA as DNS names when
+    evaluating name constraints.
+  * AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
+  * Fix a memory corruption in sec_pkcs12_new_asafe.
+  * If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
+    test sdb_measureAccess.
+  * The built-in roots module has been updated to version 1.97, which
+    adds, removes, and distrusts several certificates.
+  * The atob utility has been improved to automatically ignore lines of
+    text that aren't in base64 format.
+  * The certutil utility has been improved to support creation of
+    version 1 and version 2 certificates, in addition to the existing
+    version 3 support.
+
 -------------------------------------------------------------------
 Tue Feb 25 11:31:18 UTC 2014 - wr@rosenauer.org
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index a93cbf6..9c209dc 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.9
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.15.5
+Version:        3.16
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_5_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.15.5/nss ; cd nss-3.15.5/nss ; hg up NSS_3_15_5_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.16/nss ; cd nss-3.16/nss ; hg up NSS_3_16_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -195,7 +195,7 @@ export USE_64=1
 %endif
 export NSS_USE_SYSTEM_SQLITE=1
 #export SQLITE_LIB_NAME=nsssqlite3
-MAKE_FLAGS="BUILD_OPT=1 NSS_ENABLE_ECC=1"
+MAKE_FLAGS="BUILD_OPT=1"
 make nss_build_all $MAKE_FLAGS
 # run testsuite
 %if 0%{?run_testsuite}
diff --git a/nss-3.15.5.tar.gz b/nss-3.15.5.tar.gz
deleted file mode 100644
index 046e241..0000000
--- a/nss-3.15.5.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43
-size 6367893
diff --git a/nss-3.16.tar.gz b/nss-3.16.tar.gz
new file mode 100644
index 0000000..7b488ad
--- /dev/null
+++ b/nss-3.16.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2bb4faa200962caacf0454f1e870e74aa9a543809e5c440f7978bcce58e0bfe8
+size 6378110