diff --git a/_service b/_service
index 73b2268..325e3ee 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="exclude">.git</param>
-    <param name="revision">v15.4.7</param>
+    <param name="revision">v16.0.4</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">disable</param>
     <param name="versionrewrite-pattern">v(.*)</param>
diff --git a/teleport-15.4.7.obscpio b/teleport-15.4.7.obscpio
deleted file mode 100644
index 0fcf7e3..0000000
--- a/teleport-15.4.7.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4cf30701185d08b30467a90b76bde37880206b45395bd32eea4a25547e655e94
-size 254994446
diff --git a/teleport-16.0.4.obscpio b/teleport-16.0.4.obscpio
new file mode 100644
index 0000000..4fb9386
--- /dev/null
+++ b/teleport-16.0.4.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44a4cac8b9b02e00d0f54fe3568b2f4c2e1624cb2e0dcd6c6ae0e116770ce91d
+size 254966798
diff --git a/teleport.changes b/teleport.changes
index 5250c02..5706e49 100644
--- a/teleport.changes
+++ b/teleport.changes
@@ -1,3 +1,121 @@
+-------------------------------------------------------------------
+Thu Jul 11 19:44:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 16.0.4:
+  * Omit control plane services from the inventory list output for
+    Cloud-Hosted instances. #43779
+  * Updated Go toolchain to v1.22.5. #43768
+  * Reduced CPU usage in auth servers experiencing very high
+    concurrent request load. #43755
+  * Machine ID defaults to disabling the use of the Kubernetes exec
+    plugin when writing a Kubeconfig to a directory destination.
+    This removes the need to manually configure
+    disable_exec_plugin. #43655
+  * Fixed startup crash of Teleport Connect on Ubuntu 24.04 by
+    adding an AppArmor profile. #43653
+  * Added support for dialling leaf clusters to the tbot SSH
+    multiplexer. #43634
+  * Extend Teleport ability to use non-default cluster domains in
+    Kubernetes, avoiding the assumption of cluster.local. #43631
+  * Wait for user MFA input when reissuing expired certificates for
+    a kube proxy. #43612
+  * Improved error diagnostics when using Machine ID's SSH
+    multiplexer. #43586
+
+-------------------------------------------------------------------
+Thu Jul 11 19:31:49 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 16.0.3 (skipping 16.0.2 that was not released):
+  This release of Teleport contains a fix for a medium-level
+  security issue impacting Teleport Enterprise, as well as various
+  other updates and improvements
+  => the security fix has no relevance on openSUSE
+  * Other updates and improvements
+    - Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104).
+      #43474
+    - Fixed Discover setup access error when updating user. #43560
+    - Added audit event field describing if the "MFA for admin
+      actions" requirement changed. #43541
+    - Fixed remote port forwarding validation error. #43516
+    - Added support to trust system CAs for self-hosted databases.
+      #43493
+    - Added error display in the Web UI for SSH and Kubernetes
+      sessions. #43485
+    - Fixed accurate inventory reporting of the updater after it is
+      removed. #43454
+    - tctl alerts ls now displays remaining alert ttl. #43436
+    - Fixed input search for Teleport Connect's access request
+      listing. #43429
+    - Added Debug setting for event-handler. #43408
+    - Fixed Headless auth for sso users, including when local auth
+      is disabled. #43361
+    - Added configuration for custom CAs in the event-handler helm
+      chart. #43340
+    - Updated VNet panel in Teleport Connect to list custom DNS
+      zones and DNS zones from leaf clusters. #43312
+    - Fixed an issue with Database Access Controls preventing users
+      from making additional database connections. #43303
+    - Fixed bug that caused gRPC connections to be disconnected
+      when their certificate expired even though
+      DisconnectCertExpiry was false. #43290
+    - Fixed Connect My Computer in Teleport Connect failing with
+      "bind: invalid argument". #43287
+    - Fix a bug where a Teleport instance running only Jamf or
+      Discovery service would never have a healthy /readyz
+      endpoint. #43283
+    - Added a missing [Install] section to the teleport-acm systemd
+      unit file as used by Teleport AMIs. #43257
+    - Patched timing variability in curve25519-dalek. #43246
+    - Fixed setting request reason for automatic ssh access
+      requests. #43178
+    - Improved log rotation logic in Teleport Connect; now the
+      non-numbered files always contain recent logs. #43161
+    - Added tctl desktop bootstrap for bootstrapping AD
+      environments to work with Desktop Access. #43150
+
+-------------------------------------------------------------------
+Thu Jul 11 19:03:17 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 16.0.1:
+  * tctl now ignores any configuration file if the auth_service
+    section is disabled, and prefer loading credentials from a
+    given identity file or tsh profile instead. #43115
+  * Skip jamf_service validation when the service is not enabled.
+    #43095
+  * Fix v16.0.0 amd64 Teleport plugin images using arm64 binaries.
+    #43084
+  * Add ability to edit user traits from the Web UI. #43067
+  * Enforce limits when reading events from Firestore for large
+    time windows to prevent OOM events. #42966
+  * Allow all authenticated users to read the cluster vnet_config.
+    #42957
+  * Improve search and predicate/label based dialing performance in
+    large clusters under very high load. #42943
+
+-------------------------------------------------------------------
+Wed Jul 10 18:48:28 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- major update to 16.0.0:
+  Teleport 16 brings the following new features and improvements:
+  * Teleport VNet
+  * Device Trust for the Web UI
+  * Increased support for per-session MFA
+  * Web UI notification system
+  * Access requests from the resources view
+  * tctl for Windows
+  * Teleport plugins improvements
+  Breaking changes:
+  * Multi-factor authentication is now required for local users
+  * Community Edition license
+  * Incompatible clients are rejected
+  * Opsgenie plugin annotations
+  * New required permissions for DynamoDB
+  * Machine ID and OpenSSH client config changes
+  * Removal of Active Directory configuration flow
+  * Teleport Assist is removed
+  Full changelog:
+  https://github.com/gravitational/teleport/releases/tag/v16.0.0
+
 -------------------------------------------------------------------
 Thu Jul  4 07:35:11 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 
diff --git a/teleport.obsinfo b/teleport.obsinfo
index b8a3a77..f824755 100644
--- a/teleport.obsinfo
+++ b/teleport.obsinfo
@@ -1,4 +1,4 @@
 name: teleport
-version: 15.4.7
-mtime: 1720067281
-commit: 2611484dfdf000c08770ecc7b10b696897e7f3ba
+version: 16.0.4
+mtime: 1720063959
+commit: c733a8b018826c1e06ee687006efee5bc8a31a20
diff --git a/teleport.spec b/teleport.spec
index 6fcfaba..ac87a5c 100644
--- a/teleport.spec
+++ b/teleport.spec
@@ -19,7 +19,7 @@
 %define __arch_install_post export NO_BRP_STRIP_DEBUG=true
 
 Name:           teleport
-Version:        15.4.7
+Version:        16.0.4
 Release:        0
 Summary:        Identity-aware, multi-protocol access proxy
 License:        AGPL-3.0-only
diff --git a/vendor.tar.gz b/vendor.tar.gz
index 570cb4f..9dfb194 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:38212125d653ad724efa8a858ef093742f39bc9f4f28c04739de28f8b9299aad
-size 51518796
+oid sha256:4be74ed7daebb565a8ad5bdf1a26450055517017f2ae5b6d255700b8c022074a
+size 52510941