diff --git a/.gitignore b/.gitignore
index 0a17197..b0ffa84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,5 +4,4 @@ SOURCES/blank-cert9.db
 SOURCES/blank-key3.db
 SOURCES/blank-key4.db
 SOURCES/blank-secmod.db
-SOURCES/nss-3.66.tar.gz
-SOURCES/nss-softokn-cavs-1.0.tar.gz
+SOURCES/nss-3.67.tar.gz
diff --git a/.nss.metadata b/.nss.metadata
index 8d58692..46cc0d2 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -4,5 +4,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
 bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
-c0d452f828e16e3345e891fe2bd016250f1b51e1 SOURCES/nss-3.66.tar.gz
-d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz
+9cccf98f0476905c0d863a6b2cb08a1955482241 SOURCES/nss-3.67.tar.gz
diff --git a/SOURCES/nss-3.66-fix-gtest-parsing.patch b/SOURCES/nss-3.66-fix-gtest-parsing.patch
new file mode 100644
index 0000000..7e5ff4b
--- /dev/null
+++ b/SOURCES/nss-3.66-fix-gtest-parsing.patch
@@ -0,0 +1,16 @@
+diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed
+--- ./tests/common/parsegtestreport.sed.new_gtest	2021-06-17 16:26:49.361035662 -0700
++++ ./tests/common/parsegtestreport.sed	2021-06-17 16:49:08.512261136 -0700
+@@ -1,8 +1,11 @@
+ /\<testcase/{
+-  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
++  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\).*$/\3 '\4: \1 \2'/
+   t end
+   s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+   t end
++  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
++  t end
++  s/^.* name="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+ }
+ d
+ : end
diff --git a/SOURCES/nss-3.66-ppcle-fix.patch b/SOURCES/nss-3.66-ppcle-fix.patch
deleted file mode 100644
index 6775bbd..0000000
--- a/SOURCES/nss-3.66-ppcle-fix.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff --git a/lib/freebl/ppc-gcm.s b/lib/freebl/ppc-gcm.s
---- a/lib/freebl/ppc-gcm.s
-+++ b/lib/freebl/ppc-gcm.s
-@@ -692,7 +692,6 @@
- 
-     mtctr        9
- 
--    li           10, 0
-     li           25, 0x10
-     li           26, 0x20
-     li           27, 0x30
-@@ -703,6 +702,7 @@
- 
- .align 5
- .L8x_loop:
-+    li           10, 0
-     VEC_LOAD_INC K, KS, 10
- 
-     vadduwm      CTR1, CTR, I1
-diff --git a/lib/freebl/ppc-gcm-wrap.c b/lib/freebl/ppc-gcm-wrap.c
---- a/lib/freebl/ppc-gcm-wrap.c
-+++ b/lib/freebl/ppc-gcm-wrap.c
-@@ -155,7 +155,7 @@
-     /* Promote the counter by 1 */
-     gcm->CTR[14] += !(++gcm->CTR[15]);
-     gcm->CTR[13] += !(gcm->CTR[15]) && !(gcm->CTR[14]);
--    gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[13]) && !(gcm->CTR[12]);
-+    gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[14]) && !(gcm->CTR[13]);
- 
-     /* Now hash AAD - it would actually make sense to seperate the context
-      * creation from the AAD, because that would allow to reuse the H, which
-
-
diff --git a/SOURCES/nss-3.67-fix-coverity-issues.patch b/SOURCES/nss-3.67-fix-coverity-issues.patch
new file mode 100644
index 0000000..a68fa57
--- /dev/null
+++ b/SOURCES/nss-3.67-fix-coverity-issues.patch
@@ -0,0 +1,45 @@
+diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c
+--- ./lib/pk11wrap/pk11cxt.c.coverity	2021-06-18 09:36:19.499203028 -0700
++++ ./lib/pk11wrap/pk11cxt.c	2021-06-18 09:37:57.993765299 -0700
+@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM
+      * of the connection.*/
+     context->fortezzaHack = PR_FALSE;
+     if (type == CKM_SKIPJACK_CBC64) {
+-        if (symKey->origin == PK11_OriginFortezzaHack) {
++        if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
+             context->fortezzaHack = PR_TRUE;
+         }
+     }
+diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c
+--- ./lib/pk11wrap/pk11hpke.c.coverity	2021-06-18 13:40:05.410644464 -0700
++++ ./lib/pk11wrap/pk11hpke.c	2021-06-18 13:42:40.627606469 -0700
+@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+     unsigned char tagBuf[HASH_LENGTH_MAX];
+     size_t tagLen;
+     unsigned int fixedBits;
+-    PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
+-    PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
+ 
+     /* aad may be NULL, PT may be zero-length but not NULL. */
+     if (!cx || !cx->aeadContext ||
+@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+         return SECFailure;
+     }
+ 
++    PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
++    PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
++
+     tagLen = cx->aeadParams->tagLen;
+     maxOut = pt->len + tagLen;
+     fixedBits = (cx->baseNonce->len - 8) * 8;
+diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c
+--- ./lib/softoken/sftkike.c.coverity	2021-06-18 09:33:59.633405513 -0700
++++ ./lib/softoken/sftkike.c	2021-06-18 09:34:20.305523382 -0700
+@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void)
+         (outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
+         (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
+                      sizeof(ike_known_sha256_prf_plus)) != 0)) {
+-        PORT_ZFree(outKeyData, outKeySize);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         return SECFailure;
+     }
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index b1b68a1..b88d808 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,6 +1,6 @@
 %global nspr_build_version 4.25.0
 %global nspr_version 4.25.0
-%global nss_version 3.66.0
+%global nss_version 3.67.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -93,7 +93,6 @@ Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
-Source29:         nss-softokn-cavs-1.0.tar.gz
 Source30:         PayPalEE.cert
 
 # To inject hardening flags for DSO
@@ -150,8 +149,10 @@ Patch225:         nss-3.53-fix-private_key_mac.patch
 Patch229:         nss-3.53.1-measure-fix.patch
 # no upstream bug yet
 Patch230:         nss-3.66-no-small-primes.patch
-#
-Patch231:         nss-3.66-ppcle-fix.patch
+# no upstream bug yet
+Patch232:         nss-3.66-fix-gtest-parsing.patch
+# no upstream bug yet
+Patch233:         nss-3.67-fix-coverity-issues.patch
 
 
 %description
@@ -280,7 +281,7 @@ Header and library files for doing development with Network Security Services.
 
 
 %prep
-%autosetup -N -n %{name}-%{nss_archive_version} -a 29
+%autosetup -N -n %{name}-%{nss_archive_version}
 pushd nss
 %autopatch -p1
 popd
@@ -924,6 +925,12 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-2
+- Fix coverity issues
+
+* Thu Jun 17 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
+- Rebase to NSS 3.67
+
 * Tue Jun 15 2021 Bob Relyea <rrelyea@redhat.com> - 3.66.0-2
 - Restore old pkcs12 defaults.