diff --git a/.gitignore b/.gitignore
index 546baa8..019d5b5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@ PayPalEE.cert
 TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
-/nss-pem-20160308.tar.bz2
 /PayPalRootCA.cert
 /PayPalICA.cert
 /nss-3.24.0.tar.gz
diff --git a/nss.spec b/nss.spec
index c3db6c1..5a9d72f 100644
--- a/nss.spec
+++ b/nss.spec
@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.24.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          2.3%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -45,6 +45,12 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl
 
+# nss-pem used to be bundled with the nss package on Fedora -- make sure that
+# programs relying on that continue to work until they are fixed to require
+# nss-pem instead.  Once all of them are fixed, the following line can be
+# removed.  See https://bugzilla.redhat.com/1346806 for details.
+Requires:         nss-pem
+
 %{!?nss_ckbi_suffix:%define full_nss_version %{version}}
 %{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
 
@@ -58,7 +64,6 @@ Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
-Source12:         %{name}-pem-20160308.tar.bz2
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
@@ -70,14 +75,8 @@ Source27:         secmod.db.xml
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=402712
-Patch6:           nss-enable-pem.patch
-# Below reference applies to most pem module related patches
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch16:          nss-539183.patch
-# must statically link pem against the freebl in the buildroot
-# Needed only when freebl on tree has new APIS
-Patch25:          nsspem-use-system-freebl.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
@@ -95,10 +94,8 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # TODO: file a bug usptream
 Patch59: nss-check-policy-file.patch
-Patch60: nss-pem-unitialized-vars.path
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
 Patch61: mozbz1277569backport.patch
-# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/
 # TODO: file a bug usptream
 Patch62: nss-skip-util-gtest.patch
 # TODO: file a bug usptream when enough tests are run
@@ -175,14 +172,12 @@ low level services.
 
 %prep
 %setup -q
-%setup -q -T -D -n %{name}-%{version} -a 12
+%setup -q -T -D -n %{name}-%{version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
-%patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
 # link pem against buildroot's freebl, essential when mixing and matching
-%patch25 -p0 -b .systemfreebl
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
@@ -190,7 +185,6 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-%patch60 -p1 -b .unitialized_vars
 %patch61 -p1 -b .compatibility
 %patch62 -p0 -b .skip_util_gtest
 %patch63 -p1 -b .check_policy
@@ -203,11 +197,6 @@ popd
 # until fixed upstream we must copy some headers locally
 #########################################################
 
-pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
-for file in ${pemNeedsFromSoftoken}; do
-    %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
-done
-
 # Copying these header until the upstream bug is accepted
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
@@ -548,7 +537,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
 %{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
 
 # Copy the binary libraries we want
-for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
   %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -674,7 +663,6 @@ fi
 %{_libdir}/libsmime3.so
 %ghost %{_libdir}/libnssckbi.so
 %{_libdir}/nss/libnssckbi.so
-%{_libdir}/libnsspem.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
@@ -770,7 +758,6 @@ fi
 %{_includedir}/nss3/keythi.h
 %{_includedir}/nss3/nss.h
 %{_includedir}/nss3/nssckbi.h
-%{_includedir}/nss3/nsspem.h
 %{_includedir}/nss3/ocsp.h
 %{_includedir}/nss3/ocspt.h
 %{_includedir}/nss3/p12.h
@@ -815,6 +802,9 @@ fi
 
 
 %changelog
+* Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
+- decouple nss-pem from the nss package (#1347336)
+
 * Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
 - Apply the patch that was last introduced
 - Renumber and reorder some of the patches
diff --git a/sources b/sources
index 6497ccb..a7af001 100644
--- a/sources
+++ b/sources
@@ -3,5 +3,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-4d8e770b105483e365f3327d883dd229  nss-pem-20160308.tar.bz2
 2a3ffd2f46b60ecc116ac086343a537a  nss-3.24.0.tar.gz