diff --git a/fetchmail-6.3.23.tar.bz2 b/fetchmail-6.3.23.tar.bz2
deleted file mode 100644
index f7b6384..0000000
--- a/fetchmail-6.3.23.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8322219ec2b1e98866230bbfa8a4e58185388157f915600e8a044b7cfb523ede
-size 1730476
diff --git a/fetchmail-6.3.25.tar.xz b/fetchmail-6.3.25.tar.xz
new file mode 100644
index 0000000..04adfb3
--- /dev/null
+++ b/fetchmail-6.3.25.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ef1cfdf77b46c34e32a5957c7fa683969e3bf775731ec0dee6595630b290f149
+size 1285360
diff --git a/fetchmail.changes b/fetchmail.changes
index 28d2ba6..088cb68 100644
--- a/fetchmail.changes
+++ b/fetchmail.changes
@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Tue Mar 19 10:28:33 UTC 2013 - vcizek@suse.com
+
+- update to 6.3,25
+# CRITICAL AND REGRESSION FIXES
+* Plug a memory leak in OpenSSL's certificate verification callback.
+  This would affect fetchmail configurations running with SSL in daemon mode
+  more than one-shot runs.
+  Reported by Erik Thiele, and pinned by Dominik Heeg,
+  fixes Debian Bug #688015.
+  This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29)
+  when support for subjectAltName was added through a patch by Roland
+  Stigge, submitted as Debian Bug#201113.
+
+* The --logfile option now works again outside daemon mode, reported by Heinz
+  Diehl. The documentation that I had been reading was inconsistent with the
+  code, and only parts of the manual page claimed that --logfile was only
+  effective in daemon mode.
+
+# BUG FIXES
+* Fix a memory leak in out-of-memory error condition while handling plugins.
+  Report and patch by John Beck (found with Parfait static code analyzer).
+* Fix a NULL pointer dereference in out-of-memory error condition while handling
+  plugins.
+  Report and patch by John Beck (found with Parfait static code analyzer).
+
+# CHANGES
+* Improved reporting when SSL/TLS X.509 certificate validation has failed,
+  working around a not-so-recent swapping of two OpenSSL error codes, and
+  a practical impossibility to distinguish broken certification chains from
+  missing trust anchors (root certificates).
+* OpenSSL decoded errors are now reported through report(), rather than dumped
+  to stderr, so that they should show up in logfiles and/or syslog.
+* The fetchmail manual page no longer claims that MD5 were the default OpenSSL
+  hash format (for use with --sslfingerprint). Reported by Jakob Wilk,
+  PARTIAL fix for Debian Bug#700266.
+* The fetchmail manual page now refers the user to --softbounce from the
+  SMTP/ESMTP ERROR HANDLING section.  Reported by Anton Shterenlikht.
+
 -------------------------------------------------------------------
 Tue Dec 11 10:21:56 UTC 2012 - vcizek@suse.com
 
diff --git a/fetchmail.spec b/fetchmail.spec
index fd22e5f..e0de05a 100644
--- a/fetchmail.spec
+++ b/fetchmail.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package fetchmail
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@ BuildRequires:  python-devel
 %if 0%{?with_krb5}
 BuildRequires:  krb5-devel
 %endif
-Version:        6.3.23
+Version:        6.3.25
 Release:        0
 Summary:        Full-Featured POP and IMAP Mail Retrieval Daemon
 License:        GPL-2.0+
@@ -39,7 +39,7 @@ Url:            http://fetchmail.berlios.de/
 # The fetchmail-{EN,SA}-*.txt security advisories
 # were relicensed to CC BY-ND 3.0, so there's no need
 # to repack the tarball without them anymore (bnc#713698)
-Source:         %{name}-%{version}.tar.bz2
+Source:         %{name}-%{version}.tar.xz
 Source1:        %{name}.init
 Source2:        %{name}.logrotate
 Source3:        sysconfig.%{name}
@@ -48,6 +48,7 @@ PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
 PreReq:         coreutils
 PreReq:         pwdutils
+BuildRequires:  xz
 Requires:       logrotate
 Suggests:       smtp_daemon
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -118,6 +119,9 @@ cp sysconfig.%{name} %{buildroot}%{_localstatedir}/adm/fillup-templates
 mkdir -p %{buildroot}%{_localstatedir}/log
 touch %{buildroot}%{_localstatedir}/log/fetchmail
 mkdir -p %{buildroot}%{_localstatedir}/lib/fetchmail
+# we don't need this, it's aimed at fetchmail developers
+# and rpmlint is complaining that we have a binary in /usr/share
+rm -r contrib/gai*
 %find_lang %{name}
 
 %pre