diff --git a/.gitignore b/.gitignore
index 7b095ce..0f864ee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,3 +43,4 @@ TestUser51.cert
 /nss-3.47.tar.gz
 /nss-3.47.1.tar.gz
 /nss-3.48.tar.gz
+/nss-3.49.tar.gz
diff --git a/nss-3.47-certdb-temp-cert.patch b/nss-3.47-certdb-temp-cert.patch
deleted file mode 100644
index 0c37c0f..0000000
--- a/nss-3.47-certdb-temp-cert.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1575450841 -3600
-#      Wed Dec 04 10:14:01 2019 +0100
-# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
-# Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
-Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards
-
-Summary:
-When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
-
-This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
-
-Reviewers: rrelyea, keeler
-
-Reviewed By: rrelyea
-
-Subscribers: reviewbot, heftig
-
-Bug #: 1593167
-
-Differential Revision: https://phabricator.services.mozilla.com/D54726
-
-diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
---- a/lib/pki/pki3hack.c
-+++ b/lib/pki/pki3hack.c
-@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
-     }
-     if (!cc->nssCertificate || forceUpdate) {
-         fill_CERTCertificateFields(c, cc, forceUpdate);
--    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
--               !c->object.cryptoContext) {
--        /* if it's a perm cert, it might have been stored before the
--         * trust, so look for the trust again.  But a temp cert can be
--         * ignored.
--         */
--        CERTCertTrust *trust = NULL;
--        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-+    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
-+        CERTCertTrust *trust;
-+        if (!c->object.cryptoContext) {
-+            /* If it's a perm cert, it might have been stored before the
-+             * trust, so look for the trust again.
-+             */
-+            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-+        } else {
-+            /* If it's a temp cert, it might have been stored before the
-+             * builtin trust module is loaded, so look for the trust
-+             * again, but don't set the empty trust if it is not found.
-+             */
-+            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
-+            if (!t) {
-+                goto loser;
-+            }
-+            trust = cert_trust_from_stan_trust(t, cc->arena);
-+            nssTrust_Destroy(t);
-+            if (!trust) {
-+                goto loser;
-+            }
-+        }
- 
-         CERT_LockCertTrust(cc);
-         cc->trust = trust;
diff --git a/nss.spec b/nss.spec
index 45e5490..8a7a756 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,5 +1,5 @@
 %global nspr_version 4.24.0
-%global nss_version 3.48.0
+%global nss_version 3.49.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -107,8 +107,6 @@ Patch2:           nss-539183.patch
 Patch4:           iquote.patch
 # add missing ike mechanism to softoken
 Patch10:          nss-3.47-ike-fix.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
-Patch11:	  nss-3.47-certdb-temp-cert.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -874,6 +872,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
+- Update to NSS 3.49
+
 * Fri Jan  3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
 - Update to NSS 3.48
 
diff --git a/sources b/sources
index 2e36a5d..b9615c6 100644
--- a/sources
+++ b/sources
@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.48.tar.gz) = 71aefe323501dd8d750ed36606554f2e67ecb2bca85b55bc798d5dfc3a47f3d454348ca950971aaaafb16f6d847c098d2b1c40d40b50380e0c2540ed1b9a9e9a
+SHA512 (nss-3.49.tar.gz) = 7d8df73a2e585585a7cb3f887af3f933854984479531b3dd30316873bdd92c130e2fadb54e7b3b1f0b10675b1bce09112ef39860d74ef6f0df7b57bf430bd072