diff --git a/python-urllib3.changes b/python-urllib3.changes
index e3faa94..93805ea 100644
--- a/python-urllib3.changes
+++ b/python-urllib3.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold <tbechtold@suse.com>
+
+- update to 1.25 (bsc#1132663, CVE-2019-11236):
+  * Require and validate certificates by default when using HTTPS
+  * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant.
+  * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use
+    encrypted ``key_file`` without creating your own ``SSLContext`` object.
+  * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext``
+    implementations. (Pull #1496)
+  * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft.
+  * Fixed issue where OpenSSL would block if an encrypted client private key was
+    given and no password was given. Instead an ``SSLError`` is raised.
+  * Added support for Brotli content encoding. It is enabled automatically if
+  ``brotlipy`` package is installed which can be requested with
+  ``urllib3[brotli]`` extra.
+  * Drop ciphers using DSS key exchange from default TLS cipher suites.
+    Improve default ciphers when using SecureTransport.
+  * Implemented a more efficient ``HTTPResponse.__iter__()`` method.
+- Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed
+
 -------------------------------------------------------------------
 Thu Apr 18 00:02:07 CEST 2019 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python-urllib3.spec b/python-urllib3.spec
index b15aec4..b55d20b 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -31,7 +31,7 @@ Name:           python-urllib3-%{flavor}
 %else
 Name:           python-urllib3
 %endif
-Version:        1.24.2
+Version:        1.25
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
@@ -41,8 +41,6 @@ Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3
 # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied
 # should be removed in the future, see SR#437853
 Patch2:         urllib3-ssl-default-context.patch
-# PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests
-Patch3:         urllib3-test-ssl-drop-sslv3.patch
 # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date
 Patch4:         python-urllib3-recent-date.patch
 BuildRequires:  %{python_module PySocks}
@@ -91,7 +89,6 @@ Highlights
 %prep
 %setup -q -n urllib3-%{version}
 %patch2 -p1
-%patch3 -p1
 %patch4 -p1
 find . -type f -exec chmod a-x '{}' \;
 
diff --git a/urllib3-1.24.2.tar.gz b/urllib3-1.24.2.tar.gz
deleted file mode 100644
index 9f20240..0000000
--- a/urllib3-1.24.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3
-size 230699
diff --git a/urllib3-1.25.tar.gz b/urllib3-1.25.tar.gz
new file mode 100644
index 0000000..3a15bce
--- /dev/null
+++ b/urllib3-1.25.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f03eeb431c77b88cf8747d47e94233a91d0e0fdae1cf09e0b21405a885700266
+size 409895
diff --git a/urllib3-ssl-default-context.patch b/urllib3-ssl-default-context.patch
index 7e399ec..df0cb50 100644
--- a/urllib3-ssl-default-context.patch
+++ b/urllib3-ssl-default-context.patch
@@ -1,5 +1,7 @@
---- a/src/urllib3/util/ssl_.py
-+++ b/src/urllib3/util/ssl_.py
+Index: urllib3-1.25/src/urllib3/util/ssl_.py
+===================================================================
+--- urllib3-1.25.orig/src/urllib3/util/ssl_.py
++++ urllib3-1.25/src/urllib3/util/ssl_.py
 @@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None,
      elif ssl_context is None and hasattr(context, 'load_default_certs'):
          # try to load OS default certs; works well on Windows (require Python3.4+)
@@ -7,5 +9,5 @@
 +    elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'):
 +        context.set_default_verify_paths()
  
-     if certfile:
-         context.load_cert_chain(certfile, keyfile)
+     # Attempt to detect if we get the goofy behavior of the
+     # keyfile being encrypted and OpenSSL asking for the
diff --git a/urllib3-test-ssl-drop-sslv3.patch b/urllib3-test-ssl-drop-sslv3.patch
deleted file mode 100644
index 8c2b7a1..0000000
--- a/urllib3-test-ssl-drop-sslv3.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/test/with_dummyserver/test_https.py
-+++ b/test/with_dummyserver/test_https.py
-@@ -557,7 +557,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
- 
- class TestHTTPS_TLSv1(HTTPSDummyServerTestCase):
-     certs = DEFAULT_CERTS.copy()
--    certs['ssl_version'] = ssl.PROTOCOL_TLSv1
-+    certs['ssl_version'] = ssl.PROTOCOL_TLSv1_2
- 
-     def setUp(self):
-         self._pool = HTTPSConnectionPool(self.host, self.port)