diff --git a/.gitignore b/.gitignore
index 4003a06..fb97387 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,7 +8,7 @@ SOURCES/cert8.db.xml
 SOURCES/cert9.db.xml
 SOURCES/key3.db.xml
 SOURCES/key4.db.xml
-SOURCES/nss-3.16.2.tar.gz
+SOURCES/nss-3.16.2.3.tar.gz
 SOURCES/nss-config.xml
 SOURCES/nss-pem-20140125.tar.bz2
 SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index 6a80d14..b2fbd5a 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -8,7 +8,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
 af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-c4e7f007723cfafcf7fe743000e3960cc5086642 SOURCES/nss-3.16.2.tar.gz
+264abc5af31eab16e2245e33a71f77cc7aae5c39 SOURCES/nss-3.16.2.3.tar.gz
 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
new file mode 100644
index 0000000..d3e0f21
--- /dev/null
+++ b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
@@ -0,0 +1,154 @@
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+--- a/lib/pki/pki3hack.c
++++ b/lib/pki/pki3hack.c
+@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat
+ }
+ 
+ static CERTCertificate *
+ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
+ {
+     nssDecodedCert *dc = NULL;
+     CERTCertificate *cc = NULL;
+     CERTCertTrust certTrust;
++    nssPKIObject *object = &c->object;
+ 
+-    nssPKIObject_Lock(&c->object);
++    /* make sure object does not go away until we finish */
++    nssPKIObject_AddRef(object);
++    nssPKIObject_Lock(object);
+ 
+     dc = c->decoding;
+     if (!dc) {
+ 	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
+ 	if (!dc) {
+             goto loser;
+         }
+ 	cc = (CERTCertificate *)dc->data;
+@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate *
+         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ 
+         CERT_LockCertTrust(cc);
+         cc->trust = trust;
+         CERT_UnlockCertTrust(cc);
+     }
+ 
+   loser:
+-    nssPKIObject_Unlock(&c->object);
++    nssPKIObject_Unlock(object);
++    nssPKIObject_Destroy(object);
+     return cc;
+ }
+ 
+ NSS_IMPLEMENT CERTCertificate *
+ STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
+ {
+     if (c->decoding) {
+ 	return stan_GetCERTCertificate(c, PR_TRUE);
+@@ -1265,16 +1269,17 @@ done:
+ */
+ static PRStatus
+ DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
+ {
+     int numNotDestroyed = 0;     /* the ones skipped plus the failures */
+     int failureCount = 0;        /* actual deletion failures by devices */
+     int index;
+ 
++    nssPKIObject_AddRef(tObject);
+     nssPKIObject_Lock(tObject);
+     /* Keep going even if a module fails to delete. */
+     for (index = 0; index < tObject->numInstances; index++) {
+ 	nssCryptokiObject *instance = tObject->instances[index];
+ 	if (!instance) {
+ 	    continue;
+ 	}
+ 
+@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
+     if (numNotDestroyed == 0) {
+     	nss_ZFreeIf(tObject->instances);
+     	tObject->numInstances = 0;
+     } else {
+     	tObject->numInstances = numNotDestroyed;
+     }
+ 
+     nssPKIObject_Unlock(tObject);
++    nssPKIObject_Destroy(tObject);
+ 
+     return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
+ }
+ 
+ /*
+ ** Delete trust objects matching the slot of the given certificate.
+ ** Returns an error if any device fails to delete. 
+ */
+@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
+     int i;
+ 
+     /* Iterate through the cert and trust object instances looking for
+      * those with matching pk11 slots to delete. Even if some device
+      * can't delete we keep going. Keeping a status variable for the
+      * loop so that once it's failed the other gets set.
+      */
+     NSSRWLock_LockRead(td->tokensLock);
++    nssPKIObject_AddRef(cobject);
+     nssPKIObject_Lock(cobject);
+     for (i = 0; i < cobject->numInstances; i++) {
+ 	nssCryptokiObject *cInstance = cobject->instances[i];
+ 	if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
+ 		PRStatus status;
+ 	    if (!tobject->numInstances || !tobject->instances) continue;
+ 	    status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
+ 	    if (status == PR_FAILURE) {
+ 	    	/* set the outer one but keep going */
+ 	    	nssrv = PR_FAILURE;
+ 	    }
+ 	}
+     }
+     nssPKIObject_Unlock(cobject);
++    nssPKIObject_Destroy(cobject);
+     NSSRWLock_UnlockRead(td->tokensLock);
+     return nssrv;
+ }
+ 
+ /* CERT_TraversePermCertsForSubject */
+ NSS_IMPLEMENT PRStatus
+ nssTrustDomain_TraverseCertificatesBySubject (
+   NSSTrustDomain *td,
+diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
+--- a/lib/pki/tdcache.c
++++ b/lib/pki/tdcache.c
+@@ -386,16 +386,17 @@ struct token_cert_dtor {
+ 
+ static void 
+ remove_token_certs(const void *k, void *v, void *a)
+ {
+     NSSCertificate *c = (NSSCertificate *)k;
+     nssPKIObject *object = &c->object;
+     struct token_cert_dtor *dtor = a;
+     PRUint32 i;
++    nssPKIObject_AddRef(object);
+     nssPKIObject_Lock(object);
+     for (i=0; i<object->numInstances; i++) {
+ 	if (object->instances[i]->token == dtor->token) {
+ 	    nssCryptokiObject_Destroy(object->instances[i]);
+ 	    object->instances[i] = object->instances[object->numInstances-1];
+ 	    object->instances[object->numInstances-1] = NULL;
+ 	    object->numInstances--;
+ 	    dtor->certs[dtor->numCerts++] = c;
+@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
+ 		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
+ 		                                NSSCertificate *,
+ 		                                dtor->arrSize);
+ 	    }
+ 	    break;
+ 	}
+     }
+     nssPKIObject_Unlock(object);
++    nssPKIObject_Destroy(object);
+     return;
+ }
+ 
+ /* 
+  * Remove all certs for the given token from the cache.  This is
+  * needed if the token is removed. 
+  */
+ NSS_IMPLEMENT PRStatus
diff --git a/SOURCES/certutil-man-supply-missing-options.patch b/SOURCES/certutil-man-supply-missing-options.patch
new file mode 100644
index 0000000..14bf738
--- /dev/null
+++ b/SOURCES/certutil-man-supply-missing-options.patch
@@ -0,0 +1,76 @@
+diff -up ./nss/doc/certutil.xml.missing_options ./nss/doc/certutil.xml
+--- ./nss/doc/certutil.xml.missing_options	2014-11-25 10:14:22.068846717 -0800
++++ ./nss/doc/certutil.xml	2014-11-25 10:17:49.810974243 -0800
+@@ -204,6 +204,11 @@ If this option is not used, the validity
+       </varlistentry>
+ 
+       <varlistentry>
++        <term>--dump-ext-val OID </term>
++        <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
++      </varlistentry>
++
++      <varlistentry>
+         <term>-e </term>
+         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
+       </varlistentry>
+@@ -214,6 +219,26 @@ If this option is not used, the validity
+       </varlistentry>
+ 
+       <varlistentry>
++        <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
++        <listitem>
++          <para>
++Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
++           </para>
++	<itemizedlist>
++	<listitem>
++<para>OID (example): 1.2.3.4</para>
++	</listitem>
++	<listitem>
++<para>critical-flag: critical or not-critical</para>
++	</listitem>
++	<listitem>
++<para>filename: full path to a file containing an encoded extension</para>
++	</listitem>
++	</itemizedlist>
++        </listitem>
++      </varlistentry>
++
++      <varlistentry>
+         <term>-f password-file</term>
+         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
+  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+@@ -376,6 +401,15 @@ of the attribute codes:
+ <para><command>V</command> (as an SSL server)</para>
+ 	</listitem>
+ 	<listitem>
++<para><command>L</command> (as an SSL CA)</para>
++	</listitem>
++	<listitem>
++<para><command>A</command> (as Any CA)</para>
++	</listitem>
++	<listitem>
++<para><command>Y</command> (Verify CA)</para>
++	</listitem>
++	<listitem>
+ <para><command>S</command> (as an email signer)</para>
+ 	</listitem>
+ 	<listitem>
+@@ -649,6 +683,17 @@ of the attribute codes:
+       </varlistentry>
+ 
+       <varlistentry>
++        <term>--extSAN type:name[,type:name]...</term>
++        <listitem><para>
++Create a Subject Alt Name extension with one or multiple names.
++          </para>
++          <para>
++-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
++        </para>
++        </listitem>
++      </varlistentry>
++
++      <varlistentry>
+         <term>--empty-password</term>
+         <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
+       </varlistentry>
diff --git a/SOURCES/cve-2014-1568-nss-extra.patch b/SOURCES/cve-2014-1568-nss-extra.patch
deleted file mode 100644
index 507198e..0000000
--- a/SOURCES/cve-2014-1568-nss-extra.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1411493980 -7200
-# Node ID 8dd6c6ac977d063dbd093f092ba46e50e9bcb80b
-# Parent  fb7208e91ae8e819b38a80480f816efb32fbfab3
-Bug 1064636, follow up commit to fix Windows build bustage
-
-diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
---- a/lib/cryptohi/secvfy.c
-+++ b/lib/cryptohi/secvfy.c
-@@ -595,18 +595,18 @@ VFY_EndWithSignature(VFYContext *cx, SEC
- 	}
- 	break;
-       case rsaKey:
-       {
-         SECItem digest;
-         digest.data = final;
-         digest.len = part;
- 	if (sig) {
-+	    SECOidTag hashid;
- 	    PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN);
--	    SECOidTag hashid;
- 	    rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid,
- 					&cx->pkcs1RSADigestInfo,
- 					&cx->pkcs1RSADigestInfoLen,
- 					cx->key,
- 					sig, cx->wincx);
- 	    PORT_Assert(cx->hashAlg == hashid);
- 	    if (rv != SECSuccess) {
- 		return SECFailure;
-
diff --git a/SOURCES/cve-2014-1568-nss.patch b/SOURCES/cve-2014-1568-nss.patch
deleted file mode 100644
index a97e863..0000000
--- a/SOURCES/cve-2014-1568-nss.patch
+++ /dev/null
@@ -1,355 +0,0 @@
-
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1411493314 -7200
-# Node ID ad411fb64046d987272043f311ca477022c6fef4
-# Parent  70ae6afde27f9c977badc5271efa835c8a4ec4f0
-Fix bug 1064636, patch part 2, r=rrelyea
-
-diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
---- a/lib/cryptohi/secvfy.c
-+++ b/lib/cryptohi/secvfy.c
-@@ -7,121 +7,165 @@
- 
- #include <stdio.h>
- #include "cryptohi.h"
- #include "sechash.h"
- #include "keyhi.h"
- #include "secasn1.h"
- #include "secoid.h"
- #include "pk11func.h"
-+#include "pkcs1sig.h"
- #include "secdig.h"
- #include "secerr.h"
- #include "keyi.h"
- 
- /*
--** Decrypt signature block using public key
--** Store the hash algorithm oid tag in *tagp
--** Store the digest in the digest buffer
--** Store the digest length in *digestlen
-+** Recover the DigestInfo from an RSA PKCS#1 signature.
-+**
-+** If givenDigestAlg != SEC_OID_UNKNOWN, copy givenDigestAlg to digestAlgOut.
-+** Otherwise, parse the DigestInfo structure and store the decoded digest
-+** algorithm into digestAlgOut.
-+**
-+** Store the encoded DigestInfo into digestInfo.
-+** Store the DigestInfo length into digestInfoLen.
-+**
-+** This function does *not* verify that the AlgorithmIdentifier in the
-+** DigestInfo identifies givenDigestAlg or that the DigestInfo is encoded
-+** correctly; verifyPKCS1DigestInfo does that.
-+**
- ** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
- */
- static SECStatus
--DecryptSigBlock(SECOidTag *tagp, unsigned char *digest,
--		unsigned int *digestlen, unsigned int maxdigestlen,
--		SECKEYPublicKey *key, const SECItem *sig, char *wincx)
-+recoverPKCS1DigestInfo(SECOidTag givenDigestAlg,
-+                       /*out*/ SECOidTag* digestAlgOut,
-+                       /*out*/ unsigned char** digestInfo,
-+                       /*out*/ unsigned int* digestInfoLen,
-+                       SECKEYPublicKey* key,
-+                       const SECItem* sig, void* wincx)
- {
--    SGNDigestInfo *di   = NULL;
--    unsigned char *buf  = NULL;
--    SECStatus      rv;
--    SECOidTag      tag;
--    SECItem        it;
-+    SGNDigestInfo* di = NULL;
-+    SECItem it;
-+    PRBool rv = SECSuccess;
- 
--    if (key == NULL) goto loser;
-+    PORT_Assert(digestAlgOut);
-+    PORT_Assert(digestInfo);
-+    PORT_Assert(digestInfoLen);
-+    PORT_Assert(key);
-+    PORT_Assert(key->keyType == rsaKey);
-+    PORT_Assert(sig);
- 
-+    it.data = NULL;
-     it.len  = SECKEY_PublicKeyStrength(key);
--    if (!it.len) goto loser;
--    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
--    if (!buf) goto loser;
-+    if (it.len != 0) {
-+        it.data = (unsigned char *)PORT_Alloc(it.len);
-+    }
-+    if (it.len == 0 || it.data == NULL ) {
-+        rv = SECFailure;
-+    }
- 
--    /* decrypt the block */
--    rv = PK11_VerifyRecover(key, (SECItem *)sig, &it, wincx);
--    if (rv != SECSuccess) goto loser;
-+    if (rv == SECSuccess) {
-+        /* decrypt the block */
-+        rv = PK11_VerifyRecover(key, sig, &it, wincx);
-+    }
-+    
-+    if (rv == SECSuccess) {
-+        if (givenDigestAlg != SEC_OID_UNKNOWN) {
-+            /* We don't need to parse the DigestInfo if the caller gave us the
-+             * digest algorithm to use. Later verifyPKCS1DigestInfo will verify
-+             * that the DigestInfo identifies the given digest algorithm and
-+             * that the DigestInfo is encoded absolutely correctly.
-+             */
-+            *digestInfoLen = it.len;
-+            *digestInfo = (unsigned char*)it.data;
-+            *digestAlgOut = givenDigestAlg;
-+            return SECSuccess;
-+        }
-+    }
- 
--    di = SGN_DecodeDigestInfo(&it);
--    if (di == NULL) goto sigloser;
-+    if (rv == SECSuccess) {
-+        /* The caller didn't specify a digest algorithm to use, so choose the
-+         * digest algorithm by parsing the AlgorithmIdentifier within the
-+         * DigestInfo.
-+         */
-+        di = SGN_DecodeDigestInfo(&it);
-+        if (!di) {
-+            rv = SECFailure;
-+        }
-+    }
- 
--    /*
--    ** Finally we have the digest info; now we can extract the algorithm
--    ** ID and the signature block
--    */
--    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
--    /* Check that tag is an appropriate algorithm */
--    if (tag == SEC_OID_UNKNOWN) {
--	goto sigloser;
-+    if (rv == SECSuccess) {
-+        *digestAlgOut = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
-+        if (*digestAlgOut == SEC_OID_UNKNOWN) {
-+            rv = SECFailure;
-+        }
-     }
--    /* make sure the "parameters" are not too bogus. */
--    if (di->digestAlgorithm.parameters.len > 2) {
--	goto sigloser;
-+
-+    if (di) {
-+        SGN_DestroyDigestInfo(di);
-     }
--    if (di->digest.len > maxdigestlen) {
--	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
--	goto loser;
-+
-+    if (rv == SECSuccess) {
-+        *digestInfoLen = it.len;
-+        *digestInfo = (unsigned char*)it.data;
-+    } else {
-+        if (it.data) {
-+            PORT_Free(it.data);
-+        }
-+        *digestInfo = NULL;
-+        *digestInfoLen = 0;
-+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-     }
--    PORT_Memcpy(digest, di->digest.data, di->digest.len);
--    *tagp = tag;
--    *digestlen = di->digest.len;
--    goto done;
- 
--  sigloser:
--    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--
--  loser:
--    rv = SECFailure;
--
--  done:
--    if (di   != NULL) SGN_DestroyDigestInfo(di);
--    if (buf  != NULL) PORT_Free(buf);
--    
-     return rv;
- }
- 
--
- struct VFYContextStr {
-     SECOidTag hashAlg;  /* the hash algorithm */
-     SECKEYPublicKey *key;
-     /*
-      * This buffer holds either the digest or the full signature
-      * depending on the type of the signature (key->keyType).  It is
-      * defined as a union to make sure it always has enough space.
-      *
-      * Use the "buffer" union member to reference the buffer.
-      * Note: do not take the size of the "buffer" union member.  Take
-      * the size of the union or some other union member instead.
-      */
-     union {
- 	unsigned char buffer[1];
- 
--	/* the digest in the decrypted RSA signature */
--	unsigned char rsadigest[HASH_LENGTH_MAX];
- 	/* the full DSA signature... 40 bytes */
- 	unsigned char dsasig[DSA_MAX_SIGNATURE_LEN];
- 	/* the full ECDSA signature */
- 	unsigned char ecdsasig[2 * MAX_ECKEY_LEN];
-     } u;
--    unsigned int rsadigestlen;
-+    unsigned int pkcs1RSADigestInfoLen;
-+    /* the encoded DigestInfo from a RSA PKCS#1 signature */
-+    unsigned char *pkcs1RSADigestInfo;
-     void * wincx;
-     void *hashcx;
-     const SECHashObject *hashobj;
-     SECOidTag encAlg;  /* enc alg */
-     PRBool hasSignature;  /* true if the signature was provided in the
-                            * VFY_CreateContext call.  If false, the
-                            * signature must be provided with a
-                            * VFY_EndWithSignature call. */
- };
- 
-+static SECStatus
-+verifyPKCS1DigestInfo(const VFYContext* cx, const SECItem* digest)
-+{
-+  SECItem pkcs1DigestInfo;
-+  pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
-+  pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
-+  return _SGN_VerifyPKCS1DigestInfo(
-+           cx->hashAlg, digest, &pkcs1DigestInfo,
-+           PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
-+}
-+
- /*
-  * decode the ECDSA or DSA signature from it's DER wrapping.
-  * The unwrapped/raw signature is placed in the buffer pointed
-  * to by dsig and has enough room for len bytes.
-  */
- static SECStatus
- decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
- 		       unsigned int len) {
-@@ -371,26 +415,26 @@ vfy_CreateContext(const SECKEYPublicKey 
- 	goto loser;
-     }
- 
-     cx->wincx = wincx;
-     cx->hasSignature = (sig != NULL);
-     cx->encAlg = encAlg;
-     cx->hashAlg = hashAlg;
-     cx->key = SECKEY_CopyPublicKey(key);
-+    cx->pkcs1RSADigestInfo = NULL;
-     rv = SECSuccess;
-     if (sig) {
- 	switch (type) {
- 	case rsaKey:
--	    rv = DecryptSigBlock(&cx->hashAlg, cx->u.buffer, &cx->rsadigestlen,
--			HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
--	    if (cx->hashAlg != hashAlg && hashAlg != SEC_OID_UNKNOWN) {
--		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--		rv = SECFailure;	
--	    }
-+	    rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
-+					&cx->pkcs1RSADigestInfo,
-+					&cx->pkcs1RSADigestInfoLen,
-+					cx->key,
-+					sig, wincx);
- 	    break;
- 	case dsaKey:
- 	case ecKey:
- 	    sigLen = SECKEY_SignatureLen(key);
- 	    if (sigLen == 0) {
- 		/* error set by SECKEY_SignatureLen */
- 		rv = SECFailure;	
- 		break;
-@@ -464,16 +508,19 @@ VFY_DestroyContext(VFYContext *cx, PRBoo
-     if (cx) {
- 	if (cx->hashcx != NULL) {
- 	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
- 	    cx->hashcx = NULL;
- 	}
- 	if (cx->key) {
- 	    SECKEY_DestroyPublicKey(cx->key);
- 	}
-+    if (cx->pkcs1RSADigestInfo) {
-+        PORT_Free(cx->pkcs1RSADigestInfo);
-+    }
- 	if (freeit) {
- 	    PORT_ZFree(cx, sizeof(VFYContext));
- 	}
-     }
- }
- 
- SECStatus
- VFY_Begin(VFYContext *cx)
-@@ -543,31 +590,35 @@ VFY_EndWithSignature(VFYContext *cx, SEC
- 	hash.data = final;
- 	hash.len = part;
- 	if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) {
- 		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- 		return SECFailure;
- 	}
- 	break;
-       case rsaKey:
-+      {
-+        SECItem digest;
-+        digest.data = final;
-+        digest.len = part;
- 	if (sig) {
--	    SECOidTag hashid = SEC_OID_UNKNOWN;
--	    rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen,
--		    HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx);
--	    if ((rv != SECSuccess) || (hashid != cx->hashAlg)) {
--		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+	    PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN);
-+	    SECOidTag hashid;
-+	    rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid,
-+					&cx->pkcs1RSADigestInfo,
-+					&cx->pkcs1RSADigestInfoLen,
-+					cx->key,
-+					sig, cx->wincx);
-+	    PORT_Assert(cx->hashAlg == hashid);
-+	    if (rv != SECSuccess) {
- 		return SECFailure;
- 	    }
- 	}
--	if ((part != cx->rsadigestlen) ||
--	    PORT_Memcmp(final, cx->u.buffer, part)) {
--	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--	    return SECFailure;
--	}
--	break;
-+	return verifyPKCS1DigestInfo(cx, &digest);
-+      }
-       default:
- 	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- 	return SECFailure; /* shouldn't happen */
-     }
-     return SECSuccess;
- }
- 
- SECStatus
-@@ -590,22 +641,17 @@ vfy_VerifyDigest(const SECItem *digest, 
-     SECItem dsasig; /* also used for ECDSA */
- 
-     rv = SECFailure;
- 
-     cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
-     if (cx != NULL) {
- 	switch (key->keyType) {
- 	case rsaKey:
--	    if ((digest->len != cx->rsadigestlen) ||
--		PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) {
--		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--	    } else {
--		rv = SECSuccess;
--	    }
-+	    rv = verifyPKCS1DigestInfo(cx, digest);
- 	    break;
- 	case dsaKey:
- 	case ecKey:
- 	    dsasig.data = cx->u.buffer;
- 	    dsasig.len = SECKEY_SignatureLen(cx->key);
- 	    if (dsasig.len == 0) {
- 		break;
- 	    }
-
diff --git a/SOURCES/manfixes.patch b/SOURCES/manfixes.patch
deleted file mode 100644
index c00b1f9..0000000
--- a/SOURCES/manfixes.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-diff -up doc/certutil.xml.missing_options doc/certutil.xml
---- doc/certutil.xml.missing_options	2014-08-06 08:05:31.515329622 -0700
-+++ doc/certutil.xml	2014-08-06 08:06:16.520764486 -0700
-@@ -204,6 +204,11 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--dump-ext-val OID </term>
-+        <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-e </term>
-         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
-       </varlistentry>
-@@ -214,6 +219,26 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
-+        <listitem>
-+          <para>
-+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
-+           </para>
-+	<itemizedlist>
-+	<listitem>
-+<para>OID (example): 1.2.3.4</para>
-+	</listitem>
-+	<listitem>
-+<para>critical-flag: critical or not-critical</para>
-+	</listitem>
-+	<listitem>
-+<para>filename: full path to a file containing an encoded extension</para>
-+	</listitem>
-+	</itemizedlist>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-f password-file</term>
-         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
-  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
-@@ -376,6 +401,15 @@ of the attribute codes:
- <para><command>V</command> (as an SSL server)</para>
- 	</listitem>
- 	<listitem>
-+<para><command>L</command> (as an SSL CA)</para>
-+	</listitem>
-+	<listitem>
-+<para><command>A</command> (as Any CA)</para>
-+	</listitem>
-+	<listitem>
-+<para><command>Y</command> (Verify CA)</para>
-+	</listitem>
-+	<listitem>
- <para><command>S</command> (as an email signer)</para>
- 	</listitem>
- 	<listitem>
-@@ -649,6 +683,17 @@ of the attribute codes:
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--extSAN type:name[,type:name]...</term>
-+        <listitem><para>
-+Create a Subject Alt Name extension with one or multiple names.
-+          </para>
-+          <para>
-+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
-+        </para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>--empty-password</term>
-         <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
-       </varlistentry>
diff --git a/SOURCES/p-1083360.patch b/SOURCES/p-1083360.patch
new file mode 100644
index 0000000..ed8c3d4
--- /dev/null
+++ b/SOURCES/p-1083360.patch
@@ -0,0 +1,142 @@
+diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c
+--- a/cmd/ssltap/ssltap.c
++++ b/cmd/ssltap/ssltap.c
+@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
+   case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
+   case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
+   case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
+   case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
+   case 0x00009C:    cs_str = "TLS/RSA/AES128-GCM/SHA256";	break;     
+   case 0x00009E:    cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256";	break;     
+ 
+   case 0x0000FF:    cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
++  case 0x005600:    cs_str = "TLS_FALLBACK_SCSV"; break;
+ 
+   case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
+   case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
+   case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
+   case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
+   case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
+   case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
+   case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
+diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
+--- a/cmd/tstclnt/tstclnt.c
++++ b/cmd/tstclnt/tstclnt.c
+@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
+     }
+ }
+ 
+ static void PrintUsageHeader(const char *progName)
+ {
+     fprintf(stderr, 
+ "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
+                     "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
+-                    "[-V [min-version]:[max-version]] [-T]\n"
++                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
+                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
+             progName);
+ }
+ 
+ static void PrintParameterUsage(void)
+ {
+     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
+                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
+@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
+     fprintf(stderr, 
+             "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
+     fprintf(stderr, 
+             "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
+             "%-20s All versions are enabled by default.\n"
+             "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
+             "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
+             "-V [min]:[max]", "", "", "");
++    fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
+     fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
+     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
+     fprintf(stderr, "%-20s Use synchronous certificate validation "
+                     "(required for SSL2)\n", "-O");
+     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
+     fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
+     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
+     fprintf(stderr, "%-20s Use export policy.\n", "-x");
+@@ -802,16 +803,17 @@ int main(int argc, char **argv)
+     PRBool             enableSSL2 = PR_TRUE;
+     int                bypassPKCS11 = 0;
+     int                disableLocking = 0;
+     int                useExportPolicy = 0;
+     int                enableSessionTickets = 0;
+     int                enableCompression = 0;
+     int                enableFalseStart = 0;
+     int                enableCertStatus = 0;
++    int                forceFallbackSCSV = 0;
+     PRSocketOptionData opt;
+     PRNetAddr          addr;
+     PRPollDesc         pollset[2];
+     PRBool             allowIPv4 = PR_TRUE;
+     PRBool             allowIPv6 = PR_TRUE;
+     PRBool             pingServerFirst = PR_FALSE;
+     int                pingTimeoutSeconds = -1;
+     PRBool             clientSpeaksFirst = PR_FALSE;
+@@ -847,17 +849,17 @@ int main(int argc, char **argv)
+        if (sec > 0) {
+            maxInterval = PR_SecondsToInterval(sec);
+        }
+     }
+ 
+     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
+ 
+     optstate = PL_CreateOptState(argc, argv,
+-                                 "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
++                                 "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
+     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ 	switch (optstate->option) {
+ 	  case '?':
+ 	  default : Usage(progName); 			break;
+ 
+           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
+           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
+ 
+@@ -869,16 +871,18 @@ int main(int argc, char **argv)
+                     }
+                     serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
+                     break;
+ 
+ 	  case 'I': /* reserved for OCSP multi-stapling */ break;
+ 
+           case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
+ 
++          case 'K': forceFallbackSCSV = PR_TRUE; break;
++
+           case 'M': switch (atoi(optstate->value)) {
+                       case 1:
+                           serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
+                           serverCertAuth.allowCRLSideChannelData = PR_FALSE;
+                           break;
+                       case 2:
+                           serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
+                           serverCertAuth.allowCRLSideChannelData = PR_TRUE;
+@@ -1213,16 +1216,24 @@ int main(int argc, char **argv)
+ 
+     /* enable false start. */
+     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
+     if (rv != SECSuccess) {
+ 	SECU_PrintError(progName, "error enabling false start");
+ 	return 1;
+     }
+ 
++    if (forceFallbackSCSV) {
++        rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
++        if (rv != SECSuccess) {
++            SECU_PrintError(progName, "error forcing fallback scsv");
++            return 1;
++        }
++    }
++
+     /* enable cert status (OCSP stapling). */
+     rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
+     if (rv != SECSuccess) {
+         SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
+         return 1;
+     }
+ 
+     SSL_SetPKCS11PinArg(s, &pwdata);
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index b462558..eb50b36 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,8 +1,8 @@
 %global nspr_version 4.10.6
-%global nss_util_version 3.16.2
+%global nss_util_version 3.16.2.3
 # adjust to the version that gets submitted for FIPS validation
 %global nss_softokn_fips_version 3.16.2
-%global nss_softokn_version 3.16.2
+%global nss_softokn_version 3.16.2.3
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
 
@@ -20,8 +20,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.16.2
-Release:          7%{?dist}
+Version:          3.16.2.3
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -100,11 +100,12 @@ Patch55:          enable-fips-when-system-is-in-fips-mode.patch
 Patch56:          p-ignore-setpolicy.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
 Patch62:          dont-hold-issuer-cert-handles-in-crl-cache.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1007126
-Patch63:          manfixes.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
-Patch77: cve-2014-1568-nss.patch
-Patch78: cve-2014-1568-nss-extra.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
+Patch64: Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360
+# support TLS_FALLBACK_SCSV in tstclnt and ssltap
+Patch88: p-1083360.patch
+Patch89: certutil-man-supply-missing-options.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -200,10 +201,10 @@ popd
 %patch56 -p0 -b .1026677
 %patch62 -p0 -b .1034409
 pushd nss
-%patch63 -p0 -b .missing_options
-%patch77 -p1 -b cve-2014-1568-nss
-%patch78 -p1 -b cve-2014-1568-nss-extra
+%patch64 -p1 -b .1139349
+%patch88 -p1 -b .support_tls_fallback_scsv
 popd
+%patch89 -p0 -b .missing_options 
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -784,6 +785,19 @@ fi
 
 
 %changelog
+* Tue Nov 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-2
+- Restore patch for certutil man page
+- supply missing options descriptions
+- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+
+* Wed Nov 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-1
+- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+- Support TLS_FALLBACK_SCSV in tstclnt and ssltap
+
+* Fri Sep 26 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-8
+- Fix crash in stan_GetCERTCertificate
+- Resolves: Bug 1139349
+
 * Wed Sep 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-7
 - Resolves: Bug 1145433 - CVE-2014-1568