diff --git a/mbedtls-2.28.7.tar.gz b/mbedtls-2.28.7.tar.gz
deleted file mode 100644
index b7e9122..0000000
--- a/mbedtls-2.28.7.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a
-size 3990451
diff --git a/mbedtls-2.28.8.tar.gz b/mbedtls-2.28.8.tar.gz
new file mode 100644
index 0000000..429ae0e
--- /dev/null
+++ b/mbedtls-2.28.8.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
+size 4039097
diff --git a/mbedtls-2.changes b/mbedtls-2.changes
index cba6eae..f0c3278 100644
--- a/mbedtls-2.changes
+++ b/mbedtls-2.changes
@@ -1,3 +1,54 @@
+-------------------------------------------------------------------
+Sun Mar 31 12:10:53 UTC 2024 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@fastmail.net>
+
+- Update to version 2.28.8:
+  Features
+  * AES-NI is now supported in Windows builds with clang and clang-cl.
+    Resolves gh#Mbed-TLS/mbedtls#8372.
+  * Add pc files for pkg-config, e.g.:
+    pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
+  Security
+  * Passing buffers that are stored in untrusted memory as arguments
+    to PSA functions is now secure by default.
+    The PSA core now protects against modification of inputs or exposure
+    of intermediate outputs during operations. This is currently implemented
+    by copying buffers.
+    This feature increases code size and memory usage. If buffers passed to
+    PSA functions are owned exclusively by the PSA core for the duration of
+    the function call (i.e. no buffer parameters are in shared memory),
+    copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
+    Note that setting this option will cause input-output buffer overlap to
+    be only partially supported (gh#Mbed-TLS/mbedtls#3266).
+    Fixes CVE-2024-28960 boo#1222157 .
+  Bugfix
+  * Fix the build with CMake when Everest is enabled through
+    a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165.
+  * Fix an inconsistency between implementations and usages of __cpuid,
+    which mainly causes failures when building Windows target using
+    mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332.
+  * Correct initial capacities for key derivation algorithms: TLS12_PRF,
+    TLS12_PSK_TO_MS.
+  * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
+    multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868.
+  * Avoid segmentation fault caused by releasing not initialized
+    entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809.
+  * Fix missing bitflags in SSL session serialization headers. Their absence
+    allowed SSL sessions saved in one configuration to be loaded in a
+    different, incompatible configuration.
+  * Fix the restoration of the ALPN when loading serialized connection with
+    the mbedtls_ssl_context_load() API.
+  * Fully support arbitrary overlap between inputs and outputs of PSA
+    functions. Note that overlap is still only partially supported when
+    MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266).
+  Changes
+  * Use heap memory to allocate DER encoded public/private key.
+    This reduces stack usage significantly for writing a public/private
+    key to a PEM string.
+  * cmake: Use GnuInstallDirs to customize install directories
+    Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
+    variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
+    LIB_INSTALL_DIR is set.
+
 -------------------------------------------------------------------
 Wed Jan 31 08:19:59 UTC 2024 - Martin Pluskal <mpluskal@suse.com>
 
diff --git a/mbedtls-2.spec b/mbedtls-2.spec
index 320aa66..5eee90c 100644
--- a/mbedtls-2.spec
+++ b/mbedtls-2.spec
@@ -21,7 +21,7 @@
 %define lib_x509   libmbedx509-1
 %define _rname     mbedtls
 Name:           mbedtls-2
-Version:        2.28.7
+Version:        2.28.8
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0 OR GPL-2.0-or-later
@@ -135,8 +135,19 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
 %doc ChangeLog README.md
 %dir %{_includedir}/mbedtls
 %dir %{_includedir}/psa
+%dir %{_includedir}/everest
+%dir %{_includedir}/everest/kremlib
+%dir %{_includedir}/everest/kremlin
+%dir %{_includedir}/everest/kremlin/internal
+%dir %{_includedir}/everest/vs2010
+%{_libdir}/pkgconfig/*.pc
 %{_includedir}/mbedtls/*.h
 %{_includedir}/psa/*.h
+%{_includedir}/everest/*.h
+%{_includedir}/everest/kremlib/*.h
+%{_includedir}/everest/kremlin/*.h
+%{_includedir}/everest/kremlin/internal/*.h
+%{_includedir}/everest/vs2010/*.h
 %{_libdir}/libmbedtls.so
 %{_libdir}/libmbedcrypto.so
 %{_libdir}/libmbedx509.so