Upgrade to 4.9.3 for fix CVE-2021-4213

(cherry picked from commit 8491bbdd121a8b7d4247c8b81fe0b81489321b00)

0001-Fix-NativeProxy-reference-tracker.patch

@@ -1,53 +0,0 @@
-From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 29 Oct 2019 10:43:56 -0400
-Subject: [PATCH] Fix NativeProxy reference tracker
-
-In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
-setting mPointer after trying to add NativeProxy to the registry. In
-most instances this won't matter, however, if another instance exists in
-the HashSet with the same hash value, the equals comparator will be
-used, triggering a NPE.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index 1c6d1aa5..a0811f76 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public NativeProxy(byte[] pointer) {
- 		assert(pointer!=null);
--        registry.add(this);
-         mPointer = pointer;
-+        registry.add(this);
- 
-         if (saveStacktraces) {
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
-         if( ! (obj instanceof NativeProxy) ) {
-             return false;
-         }
--        if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
-+        if (((NativeProxy)obj).mPointer == null) {
-+            /* If mPointer is null, we have no way to compare the values
-+             * of the pointers, so assume they're unequal. */
-             return false;
-         }
--        for(int i=0; i < mPointer.length; i++) {
--            if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
--                return false;
--            }
--        }
--        return true;
-+        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-     }
- 
-     /**
--- 
-2.21.0
-

Move-from-_NETSCAPE_-to-_NSS_-PKCS#11-constants.patch

@@ -1,43 +0,0 @@
-From dd9fc06b9ba487cf982c8dbfd73c616754dbac0d Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 7 Apr 2020 11:28:24 -0400
-Subject: [PATCH] Move from _NETSCAPE_ to _NSS_ PKCS#11 constants
-
-In NSS v3.52, support is coming for PKCS#11 v3.0. This deprecates the
-_NETSCAPE_ namespace for PKCS#11 constants in favor of _NSS_. The few
-remaining _NETSCAPE_ constants will be moved to _NSS_. We only use one,
-CKM_NETSCAPE_PBE_SHA1_DES_CBC. Add an #ifdef for compatibility with the
-new preferred name.
-
-See also: moz-bz#1603628
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs11/PK11SymKey.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/org/mozilla/jss/pkcs11/PK11SymKey.c b/org/mozilla/jss/pkcs11/PK11SymKey.c
-index 8eaf9b77e..60a37c45b 100644
---- a/org/mozilla/jss/pkcs11/PK11SymKey.c
-+++ b/org/mozilla/jss/pkcs11/PK11SymKey.c
-@@ -14,6 +14,11 @@
- #include <jssutil.h>
- #include "pk11util.h"
- 
-+/* For PKCS#11 v3.0 compatibility */
-+#ifndef CKM_NSS_PBE_SHA1_DES_CBC
-+#define CKM_NSS_PBE_SHA1_DES_CBC (CKM_NETSCAPE_PBE_SHA1_DES_CBC)
-+#endif
-+
- /***********************************************************************
-  *
-  * J S S _ P K 1 1 _ w r a p S y m K e y
-@@ -262,7 +267,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_getKeyType
-       /* PBE mechanisms have to be handled by hand */
-       case CKM_PBE_MD2_DES_CBC:
-       case CKM_PBE_MD5_DES_CBC:
--      case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-+      case CKM_NSS_PBE_SHA1_DES_CBC:
-         typeFieldName = DES_KEYTYPE_FIELD;
-         break;
-       case CKM_PBE_SHA1_RC4_128:

jss.spec

@@ -2,20 +2,19 @@ Name:          jss
 Summary:       Java Security Services
 URL:           http://www.dogtagpki.org/wiki/JSS
 License:       MPLv1.1 or GPLv2+ or LGPLv2+
-Version:       4.6.2
-Release:       4
+Version:       4.9.3
+Release:       1
 Source:        https://github.com/dogtagpki/jss/archive/v%{version}/jss-%{version}.tar.gz
-Patch0001:     0001-Fix-NativeProxy-reference-tracker.patch
-Patch0002:     Move-from-_NETSCAPE_-to-_NSS_-PKCS#11-constants.patch
 
-BuildRequires: git make cmake gcc-c++ nspr-devel >= 4.13.1 nss-devel >= 3.30 nss-tools >= 3.30 java-devel
+BuildRequires: make cmake gcc-c++ nspr-devel >= 4.13.1 nss-devel >= 3.44 nss-tools >= 3.44 java-devel
 BuildRequires: jpackage-utils slf4j glassfish-jaxb-api slf4j-jdk14 apache-commons-lang apache-commons-codec
-BuildRequires: junit
+BuildRequires: junit apache-commons-lang3
 
-Requires:      nss >= 3.30 java-headless jpackage-utils slf4j glassfish-jaxb-api
+Requires:      nss >= 3.44 java-headless jpackage-utils slf4j glassfish-jaxb-api
 Requires:      slf4j-jdk14 apache-commons-lang apache-commons-codec
+Requires:      apache-commons-lang3
 
-Conflicts:     ldapjdk < 4.20 idm-console-framework < 1.2 tomcatjss < 7.3.4 pki-base < 10.6.5
+Conflicts:     ldapjdk < 4.20 idm-console-framework < 1.2 tomcatjss < 7.6.0 pki-base < 10.10.0
 
 %description
 JSS offers a implementation for java-based applications to use native NSS.
@@ -29,7 +28,7 @@ Obsoletes:     jss-javadoc < %{version}-%{release}
 API documentation for JSS.
 
 %prep
-%autosetup -n jss-%{version} -p 1 -S git
+%autosetup -n jss-%{version} -p 1
 
 %build
 
@@ -79,6 +78,9 @@ cp -rp build/docs/* jss.html *.txt $RPM_BUILD_ROOT%{_javadocdir}/jss-%{version}
 %{_javadocdir}/jss-%{version}/
 
 %changelog
+* Mon Feb 19 2024 yaoxin <yao_xin001@hoperun.com> - 4.9.3-1
+- Upgrade to 4.9.3 for fix CVE-2021-4213
+
 * Wed Aug 05 2020 lingsheng <lingsheng@huawei.com> - 4.6.2-4
 - Fix build with nss 3.54