diff --git a/postgresql-16.7.tar.bz2 b/postgresql-16.7.tar.bz2
deleted file mode 100644
index b112f4e..0000000
--- a/postgresql-16.7.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe
-size 24905167
diff --git a/postgresql-16.7.tar.bz2.sha256 b/postgresql-16.7.tar.bz2.sha256
deleted file mode 100644
index d94bd8a..0000000
--- a/postgresql-16.7.tar.bz2.sha256
+++ /dev/null
@@ -1 +0,0 @@
-62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe  postgresql-16.7.tar.bz2
diff --git a/postgresql-16.8.tar.bz2 b/postgresql-16.8.tar.bz2
new file mode 100644
index 0000000..04ae35a
--- /dev/null
+++ b/postgresql-16.8.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8
+size 24911337
diff --git a/postgresql-16.8.tar.bz2.sha256 b/postgresql-16.8.tar.bz2.sha256
new file mode 100644
index 0000000..29a8f9f
--- /dev/null
+++ b/postgresql-16.8.tar.bz2.sha256
@@ -0,0 +1 @@
+9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8  postgresql-16.8.tar.bz2
diff --git a/postgresql16.changes b/postgresql16.changes
index db5e44d..fb98c72 100644
--- a/postgresql16.changes
+++ b/postgresql16.changes
@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Tue Feb 18 11:36:44 UTC 2025 - Reinhard Max <max@suse.com>
+
+- Upgrade to 16.8:
+  * Improve behavior of libpq's quoting functions:
+    The changes made for CVE-2025-1094 had one serious oversight:
+    PQescapeLiteral() and PQescapeIdentifier() failed to honor
+    their string length parameter, instead always reading to the
+    input string's trailing null. This resulted in including
+    unwanted text in the output, if the caller intended to
+    truncate the string via the length parameter. With very bad
+    luck it could cause a crash due to reading off the end of
+    memory.
+    In addition, modify all these quoting functions so that when
+    invalid encoding is detected, an invalid sequence is
+    substituted for just the first byte of the presumed
+    character, not all of it. This reduces the risk of problems
+    if a calling application performs additional processing on
+    the quoted string.
+  * Fix small memory leak in pg_createsubscriber.
+  * https://www.postgresql.org/docs/release/16.8/
+  * https://www.postgresql.org/about/news/p-3018/
+
 -------------------------------------------------------------------
 Tue Feb 11 14:27:58 UTC 2025 - Reinhard Max <max@suse.com>
 
diff --git a/postgresql16.spec b/postgresql16.spec
index d3c102f..2eecc1f 100644
--- a/postgresql16.spec
+++ b/postgresql16.spec
@@ -16,7 +16,7 @@
 #
 
 
-%define pgversion 16.7
+%define pgversion 16.8
 %define pgmajor 16
 %define buildlibs 0
 %define tarversion %{pgversion}