diff --git a/libpq.spec b/libpq.spec
index 53c8b4a..2484cae 100644
--- a/libpq.spec
+++ b/libpq.spec
@@ -3,8 +3,8 @@
 
 Summary: PostgreSQL client library
 Name: libpq
-Version: %{majorversion}.1
-Release: 8%{?dist}
+Version: %{majorversion}.8
+Release: 1%{?dist}
 
 License: PostgreSQL
 Url: http://www.postgresql.org/
@@ -17,7 +17,6 @@ Source1: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}
 Patch1: libpq-10.3-rpm-pgsql.patch
 Patch2: libpq-10.3-var-run-socket.patch
 Patch3: libpq-12.1-symbol-versioning.patch
-Patch4: postgresql-openssl32.patch
 
 BuildRequires: gcc
 BuildRequires: glibc-devel bison flex gawk
@@ -141,6 +140,9 @@ find_lang_bins %name-devel.lst  pg_config
 %_libdir/pkgconfig/libpq.pc
 
 %changelog
+* Thu Feb 20 2025 Ales Nezbeda <anezbeda@redhat.com> 16.8-1
+- Update to 16.8
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 16.1-8
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018
diff --git a/postgresql-openssl32.patch b/postgresql-openssl32.patch
deleted file mode 100644
index 683ffc5..0000000
--- a/postgresql-openssl32.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-Backport of commit b2b1f12882fb561c7d474b834044dd8ed570bfea to 16.1
-
-Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
-
-We should have done it this way all along, but we accidentally got
-away with using the wrong BIO field up until OpenSSL 3.2.  There,
-the library's BIO routines that we rely on use the "data" field
-for their own purposes, and our conflicting use causes assorted
-weird behaviors up to and including core dumps when SSL connections
-are attempted.  Switch to using the approved field for the purpose,
-i.e. app_data.
-
-While at it, remove our configure probes for BIO_get_data as well
-as the fallback implementation.  BIO_{get,set}_app_data have been
-there since long before any OpenSSL version that we still support,
-even in the back branches.
-
-Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
-change in an error message spelling that evidently came in with 3.2.
-
-Tristan Partin and Bo Andreson.  Back-patch to all supported branches.
-
-Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
----
-
-diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
-index 31b6a6eacdf0..1b8b32c5b39e 100644
---- a/src/backend/libpq/be-secure-openssl.c
-+++ b/src/backend/libpq/be-secure-openssl.c
-@@ -842,11 +842,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
-  * to retry; do we need to adopt their logic for that?
-  */
- 
--#ifndef HAVE_BIO_GET_DATA
--#define BIO_get_data(bio) (bio->ptr)
--#define BIO_set_data(bio, data) (bio->ptr = data)
--#endif
--
- static BIO_METHOD *my_bio_methods = NULL;
- 
- static int
-@@ -856,7 +851,7 @@ my_sock_read(BIO *h, char *buf, int size)
- 
- 	if (buf != NULL)
- 	{
--		res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
-+		res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size);
- 		BIO_clear_retry_flags(h);
- 		if (res <= 0)
- 		{
-@@ -876,7 +871,7 @@ my_sock_write(BIO *h, const char *buf, int size)
- {
- 	int			res = 0;
- 
--	res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
-+	res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size);
- 	BIO_clear_retry_flags(h);
- 	if (res <= 0)
- 	{
-@@ -952,7 +947,7 @@ my_SSL_set_fd(Port *port, int fd)
- 		SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
- 		goto err;
- 	}
--	BIO_set_data(bio, port);
-+	BIO_set_app_data(bio, port);
- 
- 	BIO_set_fd(bio, fd, BIO_NOCLOSE);
- 	SSL_set_bio(port->ssl, bio, bio);
-diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
-index 4aeaf08312ce..e669bdbf1d2d 100644
---- a/src/interfaces/libpq/fe-secure-openssl.c
-+++ b/src/interfaces/libpq/fe-secure-openssl.c
-@@ -1815,11 +1815,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
-  * to retry; do we need to adopt their logic for that?
-  */
- 
--#ifndef HAVE_BIO_GET_DATA
--#define BIO_get_data(bio) (bio->ptr)
--#define BIO_set_data(bio, data) (bio->ptr = data)
--#endif
--
- static BIO_METHOD *my_bio_methods;
- 
- static int
-@@ -1828,7 +1823,7 @@ my_sock_read(BIO *h, char *buf, int size)
- {
- 	int			res;
- 
--	res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
-+	res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
- 	BIO_clear_retry_flags(h);
- 	if (res < 0)
- 	{
-@@ -1858,7 +1853,7 @@ my_sock_write(BIO *h, const char *buf, int size)
- {
- 	int			res;
- 
--	res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
-+	res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
- 	BIO_clear_retry_flags(h);
- 	if (res < 0)
- 	{
-@@ -1968,7 +1963,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
- 		SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
- 		goto err;
- 	}
--	BIO_set_data(bio, conn);
-+	BIO_set_app_data(bio, conn);
- 
- 	SSL_set_bio(conn->ssl, bio, bio);
- 	BIO_set_fd(bio, fd, BIO_NOCLOSE);
-diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
-index a049fd2ff03a..d921f1dde9fa 100644
---- a/src/test/ssl/t/001_ssltests.pl
-+++ b/src/test/ssl/t/001_ssltests.pl
-@@ -776,7 +776,7 @@ sub switch_server_cert
- 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
- 	  . sslkey('client-revoked.key'),
- 	"certificate authorization fails with revoked client cert",
--	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
-+	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
- 	# temporarily(?) skip this check due to timing issue
- 	#	log_like => [
- 	#		qr{Client certificate verification failed at depth 0: certificate revoked},
-@@ -881,7 +881,7 @@ sub switch_server_cert
- 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
- 	  . sslkey('client-revoked.key'),
- 	"certificate authorization fails with revoked client cert with server-side CRL directory",
--	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
-+	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
- 	# temporarily(?) skip this check due to timing issue
- 	#	log_like => [
- 	#		qr{Client certificate verification failed at depth 0: certificate revoked},
-@@ -894,7 +894,7 @@ sub switch_server_cert
- 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
- 	  . sslkey('client-revoked-utf8.key'),
- 	"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
--	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
-+	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
- 	# temporarily(?) skip this check due to timing issue
- 	#	log_like => [
- 	#		qr{Client certificate verification failed at depth 0: certificate revoked},
diff --git a/sources b/sources
old mode 100755
new mode 100644
index 2bc1280..620f35c
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (postgresql-16.1.tar.bz2) = 69f4635e5841452599f13b47df41ce2425ab34b4e4582fd2c635bc78d561fa36c5b03eccb4ae6569872dc74775be1b5a62dee20c9a4f12a43339250128352918
-SHA512 (postgresql-16.1.tar.bz2.sha256) = 3f573d81a7af02dea2a3eee180d4e465546fc4d283dde5b6627d25af0be4a546ffd3ae914dd3490e45264d1a43cf143e829e14e5cd9c6bd8f179b6eae4fd6ff1
+SHA512 (postgresql-16.8.tar.bz2) = f44fdfe01fbf82f3ffe4c9fc860bd27e06dddfe43b6bd6d1c6e267d64086eb5517e23cc1b2b8895cb73e63fce76779993ea9785a97e6e348ed91b4c08bb0492d
+SHA512 (postgresql-16.8.tar.bz2.sha256) = 878f5b5d71a10de9416bdd74bef034efade87cc9d6fad6ce1491842ab6415f897c715a2817552f627744ab23cf2a8287010d5e2e2f1c9206e563a1d0e26d39cc