diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index de811b1..38ec0c0 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,16 +1,2 @@
-DIST gnutls-3.7.6.tar.xz 6338276 BLAKE2B 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3 SHA512 f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
-DIST gnutls-3.7.6.tar.xz.sig 685 BLAKE2B eae022d6cb0d772e465257411381afd97f3dfd19d6f794a1c3e0f8c3c1232a8a1b91269ca7252a5662782183b11ca393c31efe3f88171a526884400fd0534528 SHA512 c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e
-DIST gnutls-3.7.7.tar.xz 6351664 BLAKE2B a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 SHA512 ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08
-DIST gnutls-3.7.7.tar.xz.sig 685 BLAKE2B 53d76a06ed5a74664d6c193459eb310f06e87dd3db97aca9e9fa78837677df58d8de66f187c182b9375786ee0308c5da55f08414183c959c7acb4527c38cd7c7 SHA512 6463bc4661e20051ff9f31c1a557cece34d06b748f4e24f98e807ddc72a3daa9348aa9f0afa83a0f9cd226421c575210eec1936fbeb9a55849e2c397ace9d03d
-DIST gnutls-3.7.8.tar.xz 6029220 BLAKE2B 0a21e63c7cb0ba4eeff23593c7282e0b4d704fa2d2a1cd5289998fd04b58ea36fc343f872225ad05478e278b1cdebbcd0fd376459abcb58547f8fa1488485530 SHA512 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359
-DIST gnutls-3.7.8.tar.xz.sig 1250 BLAKE2B 66c6a335c3b2290a4e44ffa6ae715ad71d2bcd7df485c1d2d9490985d9dcd445768d6eb021ad3a61614431183c6652254c63ebd8abd0f0a03d3164a6193b6192 SHA512 cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7
-DIST gnutls-3.7.9.tar.xz 6377212 BLAKE2B c8263381132b0c96f23a580823cfaf57112056876e5f2cc21aec4eeddec641b0c01fa02ff9493ea686f49fd917190b06f89379eb448a510cf4d50fe3a0742851 SHA512 56ccbab5f214f9e3cf10a43dd90dedc1e10a38d08b8359a4305dc05c59ddb4a1d3680b282077b6446605c31675a4261cd0579c2c0d976e0b2ced02e6dba224c1
-DIST gnutls-3.7.9.tar.xz.sig 685 BLAKE2B 2e7ba793d026cf96c54c75a81160c58cf21d6d5f034a603ffe88d5fa4cbfa1d4fd590efbe81fbee7790cd4956776085b7827fead67c9b07f1d7eadd405815eb7 SHA512 906227a0d6f57878e85e9acdf754d20b7628a7a95b40aeffced398a0a0c6220f5e32191a9f988f55b8b903bf55212179dce2abcc08c2bb3397a2704dd2319438
-DIST gnutls-3.8.0.tar.xz 6378480 BLAKE2B 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a53673f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40 SHA512 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629
-DIST gnutls-3.8.0.tar.xz.sig 684 BLAKE2B c5dbed12b8233ed8502dac16b77d6043591296f4b9ddb0445271e8fe875c2a05b9663ad6523cca6355faaa9d244cc6e6fb8ff0d65fee47b36ab6b57f57d89f64 SHA512 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654
-DIST gnutls-3.8.1.tar.xz 6447056 BLAKE2B 16cb6d2dc7d67724ff45765ae3f154c8d268d8c4547df591a95ff014fc18f16f572a76e3cd00b3e13615ba41e80141cef21aa9915b467a1c452edfe314e2e0c7 SHA512 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872
-DIST gnutls-3.8.1.tar.xz.sig 685 BLAKE2B bfafa80bef81c2a24556f010f00294643ba7901eff07f055a0ebd9ca532b47b7b3d3403e9d1a1389c14e6f37f474a37afa2844f326d5ab35fa35b195f2ff1ade SHA512 f03fde611927c83f6b57af695d5610ba3cefbb88a261cf5485c94b3fb32c7480a77c68a353a6a28185337195e30011d6b5578c53ea4180a656cf7b175156f7f1
-DIST gnutls-3.8.2.tar.xz 6456540 BLAKE2B d70524f17919bc02fefc610ede948d209e50e3276fc1e2d40aaed5c208265455da220d948f4a3f21db57f9d253c103f3a1b9a6daa2229d02c7c224448acc2777 SHA512 b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38
-DIST gnutls-3.8.2.tar.xz.sig 685 BLAKE2B 7f82c047991d327cc1040bc38ba59e49bb1698968a833d73ec9ea8827b8d49586d5e5b6b6be313810d57ca60d09057b151264731ce5d995032a462717bcdc4ad SHA512 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6
-DIST gnutls-3.8.3.tar.xz 6463720 BLAKE2B 27a4bb4d8a5697e2187113351b2ad1e849bca7bcfb556c1b54fc2d02bef16e2789e7c437ac8db8fe6d2bcfc0e3e3467bbff2dd5d2fc0adb9bf8bda81cb89e452 SHA512 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84
-DIST gnutls-3.8.3.tar.xz.sig 580 BLAKE2B 25875eb17d9e59bf1f1b6a61dfc7657d838ac154dbb3e26c8df1995884077878ca607de62a8ce3b9287df1ea7ff523c0abc7c4548f1ca789c308eb6bda0edbaa SHA512 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff
+DIST gnutls-3.8.5.tar.xz 6491504 BLAKE2B 30ea0e213b426df896af7cddfc39a7c50fd3130f99ced8386dc55e851122a37f6171722d2cb4abb68b9d2523cd3ba044b01248d740571a3bdd0cadf555894cdf SHA512 4bac1aa7ec1dce9b3445cc515cc287a5af032d34c207399aa9722e3dc53ed652f8a57cfbc9c5e40ccc4a2631245d89ab676e3ba2be9563f60ba855aaacb8e23c
+DIST gnutls-3.8.5.tar.xz.sig 119 BLAKE2B 62ff7b33fb80422774f8252f574560679b7dc4fa56fa680a4cf570320fa9692aa6f8b6a7e4683a684572287cfd22168f58679d2dc4cc507dc50269ed126990fd SHA512 b0f7a8ec348765112cac75fd732e066adaa1595bb83024cfeff6633aba35277d8aceda145c733c3d95f1e0eb4d34fead2479abdb08d6041362094a235460fa67
diff --git a/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch b/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
deleted file mode 100644
index b3d10c1..0000000
--- a/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://bugs.gentoo.org/911872
-https://gitlab.com/gnutls/gnutls/-/commit/abfa8634db940115a11a07596ce53c8f9c4f87d2
-
-From abfa8634db940115a11a07596ce53c8f9c4f87d2 Mon Sep 17 00:00:00 2001
-From: Adrian Bunk <bunk@debian.org>
-Date: Sun, 6 Aug 2023 22:46:22 +0300
-Subject: [PATCH] Move the GNUTLS_NO_EXTENSIONS compatibility #define to
- gnutls.h
-
-Signed-off-by: Adrian Bunk <bunk@debian.org>
---- a/lib/ext/ext_master_secret.h
-+++ b/lib/ext/ext_master_secret.h
-@@ -23,9 +23,6 @@
- #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
- #define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
- 
--/* Keep backward compatibility */
--#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
--
- #include <hello_ext.h>
- 
- extern const hello_ext_entry_st ext_mod_ext_master_secret;
---- a/lib/includes/gnutls/gnutls.h.in
-+++ b/lib/includes/gnutls/gnutls.h.in
-@@ -542,6 +542,9 @@ typedef enum {
- #define GNUTLS_ENABLE_CERT_TYPE_NEG 0
- // Here for compatibility reasons
- 
-+/* Keep backward compatibility */
-+#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
-+
- /**
-  * gnutls_alert_level_t:
-  * @GNUTLS_AL_WARNING: Alert of warning severity.
---- a/lib/state.h
-+++ b/lib/state.h
-@@ -110,7 +110,4 @@ inline static int _gnutls_PRF(gnutls_session_t session, const uint8_t *secret,
- 
- #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509
- 
--/* Keep backward compatibility */
--#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
--
- #endif /* GNUTLS_LIB_STATE_H */
--- 
-GitLab
diff --git a/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
new file mode 100644
index 0000000..6905f79
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
@@ -0,0 +1,261 @@
+https://bugs.gentoo.org/930752
+https://bugs.gentoo.org/930529
+https://gitlab.com/gnutls/gnutls/-/issues/1540
+https://gitlab.com/gnutls/gnutls/-/merge_requests/1830
+https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d
+
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+ 	bool force_ext_master_secret_set;
+ };
+ 
++static inline void cfg_init(struct cfg *cfg)
++{
++	memset(cfg, 0, sizeof(*cfg));
++	cfg->allow_rsa_pkcs1_encrypt = true;
++}
++
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+ 	if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+ 	size_t curves_size;
+ };
+ 
++static inline void ini_ctx_init(struct ini_ctx *ctx)
++{
++	memset(ctx, 0, sizeof(*ctx));
++	cfg_init(&ctx->cfg);
++}
++
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+ 	cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+ 		_gnutls_default_priority_string = cfg->default_priority_string;
+ 	}
+ 
+-	/* enable RSA-PKCS1-V1_5 by default */
+-	cfg->allow_rsa_pkcs1_encrypt = true;
+-
+ 	if (cfg->allowlisting) {
+ 		/* also updates `flags` of global `hash_algorithms[]` */
+ 		ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+ 	return 0;
+ }
+ 
++/* Returns false on parse error, otherwise true.
++ * The system_wide_config must be locked for writing.
++ */
++static inline bool load_system_priority_file(void)
++{
++	int err;
++	FILE *fp;
++	struct ini_ctx ctx;
++
++	cfg_init(&system_wide_config);
++
++	fp = fopen(system_priority_file, "re");
++	if (fp == NULL) {
++		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
++				  system_priority_file, errno);
++		return true;
++	}
++
++	/* Parsing the configuration file needs to be done in 2 phases:
++	 * first parsing the [global] section
++	 * and then the other sections,
++	 * because the [global] section modifies the parsing behavior.
++	 */
++	ini_ctx_init(&ctx);
++	err = ini_parse_file(fp, global_ini_handler, &ctx);
++	if (!err) {
++		if (fseek(fp, 0L, SEEK_SET) < 0) {
++			_gnutls_debug_log("cfg: unable to rewind: %s\n",
++					  system_priority_file);
++			if (fail_on_invalid_config)
++				exit(1);
++		}
++		err = ini_parse_file(fp, cfg_ini_handler, &ctx);
++	}
++	fclose(fp);
++	if (err) {
++		ini_ctx_deinit(&ctx);
++		_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
++				  system_priority_file, err);
++		return false;
++	}
++	cfg_apply(&system_wide_config, &ctx);
++	ini_ctx_deinit(&ctx);
++	return true;
++}
++
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+-	int ret, err = 0;
++	int ret;
++	bool config_parse_error = false;
+ 	struct stat sb;
+-	FILE *fp;
+ 	gnutls_buffer_st buf;
+-	struct ini_ctx ctx;
+ 
+ 	ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+-	if (ret < 0) {
++	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+-	}
+ 
+ 	if (stat(system_priority_file, &sb) < 0) {
+ 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
+ 				  system_priority_file, errno);
++
++		(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
++		ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
++		if (ret < 0)
++			goto out;
++		/* If system-wide config is unavailable, apply the defaults */
++		cfg_init(&system_wide_config);
+ 		goto out;
+ 	}
+ 
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ 	    system_priority_last_mod == sb.st_mtime) {
+ 		_gnutls_debug_log("cfg: system priority %s has not changed\n",
+ 				  system_priority_file);
+-		if (system_wide_config.priority_string) {
++		if (system_wide_config.priority_string)
+ 			goto out; /* nothing to do */
+-		}
+ 	}
+ 
+ 	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+ 	ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+-	if (ret < 0) {
++	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+-	}
+ 
+ 	/* Another thread could have successfully re-read system-wide config,
+ 	 * skip re-reading if the mtime it has used is exactly the same.
+ 	 */
+-	if (system_priority_file_loaded) {
++	if (system_priority_file_loaded)
+ 		system_priority_file_loaded =
+ 			(system_priority_last_mod == sb.st_mtime);
+-	}
+ 
+ 	if (!system_priority_file_loaded) {
+-		_name_val_array_clear(&system_wide_config.priority_strings);
+-
+-		gnutls_free(system_wide_config.priority_string);
+-		system_wide_config.priority_string = NULL;
+-
+-		fp = fopen(system_priority_file, "re");
+-		if (fp == NULL) {
+-			_gnutls_debug_log("cfg: unable to open: %s: %d\n",
+-					  system_priority_file, errno);
++		config_parse_error = !load_system_priority_file();
++		if (config_parse_error)
+ 			goto out;
+-		}
+-		/* Parsing the configuration file needs to be done in 2 phases:
+-		 * first parsing the [global] section
+-		 * and then the other sections,
+-		 * because the [global] section modifies the parsing behavior.
+-		 */
+-		memset(&ctx, 0, sizeof(ctx));
+-		err = ini_parse_file(fp, global_ini_handler, &ctx);
+-		if (!err) {
+-			if (fseek(fp, 0L, SEEK_SET) < 0) {
+-				_gnutls_debug_log("cfg: unable to rewind: %s\n",
+-						  system_priority_file);
+-				if (fail_on_invalid_config)
+-					exit(1);
+-			}
+-			err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+-		}
+-		fclose(fp);
+-		if (err) {
+-			ini_ctx_deinit(&ctx);
+-			_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+-					  system_priority_file, err);
+-			goto out;
+-		}
+-		cfg_apply(&system_wide_config, &ctx);
+-		ini_ctx_deinit(&ctx);
+ 		_gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+ 				  system_priority_file,
+ 				  (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+ 	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+-	if (err && fail_on_invalid_config) {
++	if (config_parse_error && fail_on_invalid_config)
+ 		exit(1);
+-	}
+ 
+ 	return ret;
+ }
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>
+ 
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
++TEST=${builddir}/rsaes-pkcs1-v1_5
++CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+ 
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+ 
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
++${TEST}
++if [ $? != 0 ]; then
++	echo "${TEST} expected to succeed"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled"
+ 
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+ 
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
++${TEST}
++if [ $? = 0 ]; then
++	echo "${TEST} expected to fail"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
++
++${TEST}
++if [ $? != 0 ]; then
++	echo "${TEST} expected to succeed by default"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled by default"
++
+ exit 0
+-- 
+GitLab
diff --git a/net-libs/gnutls/gnutls-3.8.3.ebuild b/net-libs/gnutls/gnutls-3.8.5-r2.ebuild
similarity index 91%
rename from net-libs/gnutls/gnutls-3.8.3.ebuild
rename to net-libs/gnutls/gnutls-3.8.5-r2.ebuild
index b6b1f91..a991370 100644
--- a/net-libs/gnutls/gnutls-3.8.3.ebuild
+++ b/net-libs/gnutls/gnutls-3.8.5-r2.ebuild
@@ -52,7 +52,7 @@
 		net-dialup/ppp
 		net-misc/socat
 	)
-	verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20231129 )
+	verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20240415 )
 "
 
 DOCS=( README.md doc/certtool.cfg )
@@ -66,6 +66,12 @@
 	static_assert
 )
 
+PATCHES=(
+	# Should no longer be needed for the next release
+	# bug #930529
+	"${FILESDIR}"/${PN}-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
+)
+
 src_prepare() {
 	default
 
@@ -134,7 +140,9 @@
 		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
 	)
 
-	ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
+	# dlopen is not present in the current version of glibs
+	# and libdl needs to be added directly
+	ECONF_SOURCE="${S}" LIBS=-ldl econf "${libconf[@]}" "${myeconfargs[@]}"
 }
 
 multilib_src_install_all() {