diff --git a/k3s.yaml b/k3s.yaml
index c5ef6d7b680..6b464b7a36a 100644
--- a/k3s.yaml
+++ b/k3s.yaml
@@ -1,7 +1,7 @@
 package:
   name: k3s
-  version: 1.28.3
-  epoch: 3
+  version: 1.28.4
+  epoch: 0
   description:
   copyright:
     - license: Apache-2.0
@@ -47,7 +47,7 @@ pipeline:
     with:
       repository: https://github.com/k3s-io/k3s
       tag: v${{vars.full-package-version}}
-      expected-commit: bbafb86e91ae3682a1811119d136203957df9061
+      expected-commit: 6ba6c1b65f9483a5eb3657206ca58c9a7464ad9d
   # Build things (almost) identical to upstream, with the k3s components
   # embedded in the "outer" multicall binary.
   - runs: |
@@ -96,6 +96,10 @@ pipeline:
       # GHSA-6xv5-86q9-7xr8
       go get github.com/cyphar/filepath-securejoin@v0.2.4
 
+      # CVE-2023-48795
+      go mod edit -dropreplace=golang.org/x/crypto
+      go get golang.org/x/crypto@v0.17.0
+
       go mod tidy
 
       ./scripts/build