diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch
new file mode 100644
index 0000000..a49ee59
--- /dev/null
+++ b/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS	+= -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 73a0fd3..c58bfec 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Jun  7 12:30:44 UTC 2018 - wr@rosenauer.org
+
+- update to NSS 3.36.4
+  * Fix crash on macOS related to authentication tokens, e.g. PK11or
+    WebAuthn. (bmo#1461731)
+  Bugfixes from 3.36.2
+  * Connecting to a server that was recently upgraded to TLS 1.3
+    would result in a SSL_RX_MALFORMED_SERVER_HELLO error. (bmo#1462303)
+  * Fix a rare bug with PKCS#12 files. (bmo#1460673)
+- use relro linker option (add-relro-linker-option.patch)
+
 -------------------------------------------------------------------
 Tue Apr 24 05:58:54 UTC 2018 - wr@rosenauer.org
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 035b3b6..d9b4444 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.19
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.36.1
+Version:        3.36.4
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_1_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.36.1/nss ; cd nss-3.36.1/nss ; hg up NSS_3_36_1_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_4_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.36.4/nss ; cd nss-3.36.4/nss ; hg up NSS_3_36_4_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -52,6 +52,7 @@ Source99:       %{name}.changes
 Patch1:         nss-opt.patch
 Patch2:         system-nspr.patch
 Patch3:         nss-no-rpath.patch
+Patch4:         add-relro-linker-option.patch
 Patch5:         malloc.patch
 Patch6:         nss-disable-ocsp-test.patch
 Patch7:         nss-sqlitename.patch
@@ -170,6 +171,7 @@ cd nss
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 %if %suse_version > 1110
 %patch5 -p1
 %endif
diff --git a/nss-3.36.1.tar.gz b/nss-3.36.1.tar.gz
deleted file mode 100644
index 0c521c1..0000000
--- a/nss-3.36.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6025441d528ff6a7f1a4b673b6ee7d3540731ada3f78d5acd5c3b3736b222bff
-size 23026430
diff --git a/nss-3.36.4.tar.gz b/nss-3.36.4.tar.gz
new file mode 100644
index 0000000..98bfb0b
--- /dev/null
+++ b/nss-3.36.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:33de96b33dc9225d8f637debc3f62bd1fee6a4415cd97c9cf07d7e685779246a
+size 23030385