diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
new file mode 100644
index 0000000..c7a301f
--- /dev/null
+++ b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
@@ -0,0 +1,44 @@
+--- mozilla/security/nss/lib/ckfw/pem/psession.c
++++ mozilla/security/nss/lib/ckfw/pem/psession.c
+@@ -230,6 +230,7 @@ pem_mdSession_Login
+     unsigned int len = 0;
+     NSSLOWKEYPrivateKey *lpk = NULL;
+     PLArenaPool *arena;
++    SECItem plain;
+     int i;
+ 
+     fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
+@@ -306,23 +321,27 @@ pem_mdSession_Login
+     lpk->keyType = NSSLOWKEYRSAKey;
+     prepare_low_rsa_priv_key_for_asn1(lpk);
+ 
+-    nss_ZFreeIf(io->u.key.key.privateKey->data);
+-    io->u.key.key.privateKey->len = len - output[len - 1];
+-    io->u.key.key.privateKey->data =
+-        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+-    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+ 
+     /* Decode the resulting blob and see if it is a decodable DER that fits
+      * our private key template. If so we declare success and move on. If not
+      * then we return an error.
+      */
++    memset(&plain, 0, sizeof(plain));
++    plain.data = output;
++    plain.len = len - output[len - 1];
+     rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+-                                io->u.key.key.privateKey);
++                                &plain);
+     pem_DestroyPrivateKey(lpk);
+     arena = NULL;
+     if (rv != SECSuccess)
+         goto loser;
+ 
++    nss_ZFreeIf(io->u.key.key.privateKey->data);
++    io->u.key.key.privateKey->len = len - output[len - 1];
++    io->u.key.key.privateKey->data =
++        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
++    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
++
+     rv = CKR_OK;
+ 
+   loser:
diff --git a/nss.spec b/nss.spec
index 2df2406..5993ca8 100644
--- a/nss.spec
+++ b/nss.spec
@@ -79,6 +79,7 @@ Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919
 Patch43:          no-softoken-freebl-tests.patch
 Patch44:          0001-sync-up-with-upstream-softokn-changes.patch
+Patch45:          Bug-896651-pem-dont-trash-keys-on-failed-login.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -164,6 +165,7 @@ low level services.
 %patch40 -p1 -b .noocsptest
 %patch43 -p0 -b .nosoftokentests
 %patch44 -p1 -b .syncupwithupstream
+%patch45 -p0 -b .notrash
 
 %build
 
@@ -204,7 +206,7 @@ export USE_SYSTEM_FREEBL=1
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
-%ifarch x86_64 ppc64 ia64 s390x sparc64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
 USE_64=1
 export USE_64
 %endif
@@ -299,7 +301,7 @@ export FREEBL_NO_DEPEND
 BUILD_OPT=1
 export BUILD_OPT
 
-%ifarch x86_64 ppc64 ia64 s390x sparc64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
 USE_64=1
 export USE_64
 %endif
@@ -612,6 +614,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 * Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
 - Update to NSS_3_14_3_RTM
 - sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
 
 * Mon Feb 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-2
 - Allow building nss against older system sqlite