diff --git a/a3f6783.patch b/a3f6783.patch
deleted file mode 100644
index d3a09b0..0000000
--- a/a3f6783.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-commit a3f6783b1cfe4b8067312fa65828fcd925757c38
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   Tue Jun 5 06:11:29 2018 +0000
-
-    Bug 4831: filter chain certificates for validity when loading (#187)
-    
-    51e09c08a5e6c582e7d93af99a8f2cfcb14ea9e6 adding
-    GnuTLS support required splitting the way
-    certificate chains were loaded. This resulted in the
-    leaf certificate being added twice at the prefix of a
-    chain in the serverHello.
-    
-    It turns out that some recipients validate strictly that the
-    chain delivered by a serverHello does not contain extra
-    certificates and reject the handshake if they do.
-    
-    This patch implements the XXX about filtering certificates
-    for chain sequence order and self-sign properties, added
-    in the initial PR. Resolving the bug 4831 regression and also
-    reporting failures at startup/reconfigure for admins.
-    
-    Also, add debug display of certificate names for simpler
-    detection and administrative fix when loaded files fail
-    these tests.
-
-diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc
-index 23d123954..052c64ffd 100644
---- a/src/security/KeyData.cc
-+++ b/src/security/KeyData.cc
-@@ -86,8 +86,6 @@ void
- Security::KeyData::loadX509ChainFromFile()
- {
- #if USE_OPENSSL
--    // XXX: This BIO loads the public cert as first chain cert,
--    //      so the code appending chains sends it twice in handshakes.
-     const char *certFilename = certFile.c_str();
-     Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
-     if (!bio || !BIO_read_filename(bio.get(), certFilename)) {
-@@ -96,14 +94,41 @@ Security::KeyData::loadX509ChainFromFile()
-         return;
-     }
- 
--    if (X509_check_issued(cert.get(), cert.get()) == X509_V_OK)
--        debugs(83, 5, "Certificate is self-signed, will not be chained");
--    else {
-+#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain
-+    if (X509_check_issued(cert.get(), cert.get()) == X509_V_OK) {
-+        char *nameStr = X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0);
-+        debugs(83, DBG_PARSE_NOTE(2), "Certificate is self-signed, will not be chained: " << nameStr);
-+        OPENSSL_free(nameStr);
-+    } else
-+#endif
-+    {
-+        debugs(83, DBG_PARSE_NOTE(3), "Using certificate chain in " << certFile);
-         // and add to the chain any other certificate exist in the file
--        while (X509 *ca = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) {
--            // XXX: self-signed check should be applied to all certs loaded.
--            // XXX: missing checks that the chained certs are actually part of a chain for validating cert.
--            chain.emplace_front(Security::CertPointer(ca));
-+        CertPointer latestCert = cert;
-+
-+        while (auto ca = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) {
-+            // get Issuer name of the cert for debug display
-+            char *nameStr = X509_NAME_oneline(X509_get_subject_name(ca), nullptr, 0);
-+
-+#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain
-+            // self-signed certificates are not valid in a sent chain
-+            if (X509_check_issued(ca, ca) == X509_V_OK) {
-+                debugs(83, DBG_PARSE_NOTE(2), "CA " << nameStr << " is self-signed, will not be chained: " << nameStr);
-+                OPENSSL_free(nameStr);
-+                continue;
-+            }
-+#endif
-+            // checks that the chained certs are actually part of a chain for validating cert
-+            if (X509_check_issued(ca, latestCert.get()) == X509_V_OK) {
-+                debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << nameStr);
-+                // OpenSSL API requires that we order certificates such that the
-+                // chain can be appended directly into the on-wire traffic.
-+                latestCert = CertPointer(ca);
-+                chain.emplace_front(latestCert);
-+            } else {
-+                debugs(83, DBG_PARSE_NOTE(2), "Ignoring non-issuer CA from " << certFile << ": " << nameStr);
-+            }
-+            OPENSSL_free(nameStr);
-         }
-     }
- 
diff --git a/squid-4.0.24.tar.xz b/squid-4.0.24.tar.xz
deleted file mode 100644
index fc36236..0000000
--- a/squid-4.0.24.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:091da0d763307dcc0f5c784ab07ea0c5a093f6dfac60f17ff26e2a6d50f76a07
-size 2420076
diff --git a/squid-4.0.24.tar.xz.asc b/squid-4.0.24.tar.xz.asc
deleted file mode 100644
index bb0c3d9..0000000
--- a/squid-4.0.24.tar.xz.asc
+++ /dev/null
@@ -1,25 +0,0 @@
-File: squid-4.0.24.tar.xz
-Date: Wed Mar  7 15:09:08 UTC 2018
-Size: 2420076
-MD5 : dcb167d7677ff469c1c59b0baad8a5be
-SHA1: 8c9bbe539af5f1060d93d30d7e099a6badc1f3e1
-Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
-            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlqgAJwACgkQzW2/jvOx
-fT7HgBAAnyzIsJ95aFGQGKsXxxzXMQkjrWu2XQS6Fg9oJ/jFtS99msvoRZXLzpTs
-m5/n0QIk9h9xXPs8iOsfJLUymslw8LLOMIfljFVfxBId8pb4wcKf+OTGRjnmrqFy
-5btu1xr5kZuKSbNzP5KXet6KOitkkC+siuCfaZ5a8Zuf+aJRQBoc9v9ETbfnXesg
-kJWUd7G7BgvxCYC8x/dstabi3iA8qWk1zE01fZ2V9Xa5Cx4zYe7G6XFqG79VoMyd
-uaLBWhC055Xf8Pt87KSBDrSgQMrFTlnwi/ybAROIXbF3B0FEVtBbRmjI9YvOAhIM
-dMassujNGwFFcIFq2ghh6EHgChreV+zRqLOghGRy5+A0d9lUNKRGTOFHhJAMauKs
-ipMFJuc6oKL22TGaFyRJmQjY+F/Fkow99k7M3XMtMp8Ybl0APgCU35ac0F9UkeSh
-lU68Y4ZzBn2//z+vRDF4AtJuwCAec1uHWFp8LsXjVMJHa3xKONy766LYIZJnYU4p
-Pco0UGDT0bKl5xSA0a3Awx2FYsQn7Ng9TSmgk2G+GJrWNfqEPqdZ9xaCuW78GwvG
-41QYQTALAsfWjzVYVvPxSkELPNdZp7tn8PKrJZhEoLDkxO3cC1p1WrOUrLFzsTi+
-+iDtv9RNtvHpGuzQ8MDl5Ek7pYOlNhP/ecDAJQ1/gXljspYZoIo=
-=3OwY
------END PGP SIGNATURE-----
diff --git a/squid-4.0.25.tar.xz b/squid-4.0.25.tar.xz
new file mode 100644
index 0000000..5c2374d
--- /dev/null
+++ b/squid-4.0.25.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f70dc75148895c3cc0d232596fee0eb346d92f5457c7180d493f133410c2d626
+size 2424644
diff --git a/squid-4.0.25.tar.xz.asc b/squid-4.0.25.tar.xz.asc
new file mode 100644
index 0000000..5730b5b
--- /dev/null
+++ b/squid-4.0.25.tar.xz.asc
@@ -0,0 +1,25 @@
+File: squid-4.0.25.tar.xz
+Date: Mon Jun 11 17:15:25 UTC 2018
+Size: 2424644
+MD5 : a0b5f7bd39216aa7d8fce332441bbff7
+SHA1: 306117ebc37dc475cad5d8dc29a3fdf89a75e5c3
+Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
+            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
+      keyring = http://www.squid-cache.org/pgp.asc
+      keyserver = pool.sks-keyservers.net
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlserjcACgkQzW2/jvOx
+fT7aGQ//Sez7N4o7uzBlmrd3h3O0/plPhxNcbvWgMjz8RNGZDPIhNwYt8QUpeyTG
+47Uw01ukmIKJstekYvjHYlu8LGY1Sgc0OGv7VxdreOOKN2pewnoJ0c3JFHSl/Lu+
+pH8ePWPVSWWWAWIOsjCkbiEHzUtp3F1U/xUlpUuSDPepEE+RPe/6n11ugAMlKQUW
+TfVJ4+9BBb1hbGcrMjdyn6OohsiXZtH3+kk9rV4KkKfoyAUCBgDgb9mW30yRcHip
+B2CEOxzwRyCPZaT3uc7kPg9mThtLKAkvsLlamYw35nGzzwt1Kr/e49Q8TJBMdXkK
+AWP6N9tfr3Hsi4akcV12ZyiMZzPJGIS/E/KDGlh5049lzCoHcMEwuc9C37N+oZCg
+esBraPiXEF8y0wEIHQ1DOEBx2qAETlVsqj+D8LV3LiRJcKzqqQRPmJ3963lKxo83
+LYRgA1OFL4O39TI7SdgctMkOfpWDosTqX6nqzVAvmmXLxspE+L2VS7ydZGZH3tG2
+inGyf4i0nWCDoqkkcGEfZaq3zysceiL3KdsyqMra9I+QW/S4TRYiTO0pqbJXHgq7
+/8YdUdbCRH2UR9OYHO7Oq1KtzRQNMNR0H/fMgQ6yGWnvqmXLhPnGkZoUq0RIHqwV
+p3QX0TOtD90zg5Zi6ppysZIk6GdhmVxl0w80BT/hZ8En3yQaI1Q=
+=EpT6
+-----END PGP SIGNATURE-----
diff --git a/squid.changes b/squid.changes
index 2e106b1..01fb8ae 100644
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Jun 18 13:04:17 UTC 2018 - adam.majer@suse.de
+
+- New upstream version 4.0.25:
+  + Fixed regression: querying private entries for HTCP/ICP
+  + Fixed regression: deny_info %R macro not being expanded
+  + Fixed regression: proxy_auth ACL -i/+i flags not working
+  + Fixed regression: filter chain certificates for validity
+    when loading
+  + Fixed regression: Transient reader locking broken in 4.0.24
+  + Fixed NegotiateSsl crash on aborting transaction
+  + Fixed IPC shared memory leaks when disker queue overflows
+  + Update negotiate_kerberos_auth helper protocol to v3.4
+  + Fixed: purge tool does not obey --sysconfdir= build option
+  + Add timestamps to (most) FATAL messages
+- a3f6783.patch: upstreamed, obsolete.
+
 -------------------------------------------------------------------
 Wed Jun  6 13:52:01 UTC 2018 - adam.majer@suse.de
 
diff --git a/squid.spec b/squid.spec
index db402fd..f2c65f7 100644
--- a/squid.spec
+++ b/squid.spec
@@ -19,7 +19,7 @@
 %define         squidlibdir %{_libdir}/squid
 %define         squidconfdir %{_sysconfdir}/squid
 Name:           squid
-Version:        4.0.24
+Version:        4.0.25
 Release:        0
 Summary:        Caching and forwarding HTTP web proxy
 License:        GPL-2.0-or-later
@@ -38,7 +38,6 @@ Source13:       http://www.squid-cache.org/pgp.asc#/squid.keyring
 Source15:       cache_dir.sed
 Source16:       initialize_cache_if_needed.sh
 Patch1:         missing_installs.patch
-Patch2:         a3f6783.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  db-devel
 BuildRequires:  ed
@@ -87,7 +86,6 @@ cp %{SOURCE10} .
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
 %patch1 -p1
-%patch2 -p1
 
 %build
 autoreconf -fi