diff --git a/.gitignore b/.gitignore
index c7810e6..81a99ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 /libreswan-3.4.tar.gz
 /libreswan-3.5.tar.gz
 /libreswan-3.6.tar.gz
+/libreswan-3.7.tar.gz
diff --git a/libreswan.spec b/libreswan.spec
index 14de28f..be12fd4 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -16,7 +16,7 @@
 
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
-Version: 3.6
+Version: 3.7
 Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://www.libreswan.org/
@@ -34,7 +34,7 @@ Provides: openswan = %{version}-%{release}
 Provides: openswan-doc = %{version}-%{release}
 
 BuildRequires: pkgconfig hostname
-BuildRequires: nss-devel >= 3.12.6-2, nspr-devel
+BuildRequires: nss-devel >= 3.14.3, nspr-devel
 BuildRequires: pam-devel
 %if %{USE_DNSSEC}
 BuildRequires: unbound-devel
@@ -99,7 +99,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
   USE_XAUTHPAM=true \
 %if %{USE_FIPSCHECK}
   USE_FIPSCHECK="%{USE_FIPSCHECK}" \
-  FIPSPRODUCTCHECK=/etc/system-fips \
+  FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
 %endif
   USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
   USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
@@ -153,8 +153,8 @@ install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
 install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif
 
-echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
-rm -fr %{buildroot}/etc/rc.d/rc*
+echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
+rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %files
 %doc BUGS CHANGES COPYING CREDITS README LICENSE
@@ -190,14 +190,19 @@ rm -fr %{buildroot}/etc/rc.d/rc*
 
 %post
 %systemd_post ipsec.service
-if [ ! -f /etc/ipsec.d/cert8.db ] ; then
-echo > /var/tmp/libreswan-nss-pwd
-certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
-restorecon /etc/ipsec.d/*db 2>/dev/null || :
-rm /var/tmp/libreswan-nss-pwd
+if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
+    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
+    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
+    echo > ${TEMPFILE}
+    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
+    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
+    rm -f ${TEMPFILE}
 fi
 
 %changelog
+* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
+- Updated to 3.7, fixes CVE-2013-4564
+
 * Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
 - Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
 - Generate empty NSS db if none exists
diff --git a/sources b/sources
index c5d2082..b268800 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-6c6f0ffec329e09d2d7fa24ae102c69b  libreswan-3.6.tar.gz
+5ab889e6a0c3b157c8dcd59966090e2f  libreswan-3.7.tar.gz