[AUTO-CHERRYPICK] Revert "Upgrade maven to 3.8.1 to fix CVE-2021-26291 in javapackages-bootstrap [Critical]" - branch main (#13799)

Co-authored-by: Kanishk Bansal <[email protected]>

Author: CBL-Mariner-Bot

SPECS/javapackages-bootstrap/CVE-2021-26291.patch

@@ -64,7 +64,7 @@
         "maven-plugin-testing.tar.xz": "0bc167583eef4321b69d7990d3cb0f2c9e03f7c92137aae0c938c1b6f01798a1",
         "maven-plugin-tools.tar.xz": "27a3b5835a34712862b00b3f540fda541c6a54d841988b0a3dec7f02e9a3db11",
         "maven-remote-resources-plugin.tar.xz": "e0b8cd3eb4ec00652b44da236b2c4eb796a8f99f89b9f02dbdb290e712854a08",
-        "maven-resolver-1.7.0.tar.xz": "d25fed747363399d91ab1dd19de01bf9c5eb288db17dc9262d844643dd2a2127",
+        "maven-resolver.tar.xz": "f9722a31915945fa533995a642f7cee00f5e78ba8c4dfae6ad5f3e84fcbb1f87",
         "maven-resources-plugin.tar.xz": "a61514bcf9216c4543c8710dc0c1a7fdf7c4ecdebb1c1de118a2db536142fd9d",
         "maven-resources.tar.xz": "cee8b36b3869a40c8fee6e7f01105c835ab192361e9abb5bdd23a706b979b3c1",
         "maven-shared-incremental.tar.xz": "951c4c7cf5d4a5a40d47c213c711e76e369cfca4bfd2e55075996706f175af92",
@@ -74,7 +74,7 @@
         "maven-surefire.tar.xz": "2f6b7af5b523949ba194ed61774a336cf88b64cdb81753eb73d0b6a94375ff52",
         "maven-verifier.tar.xz": "bfd78b31d226bead42b88ae787c310b42aa57b3f64e68652a4e88b0d0f3b49c9",
         "maven-wagon.tar.xz": "a34b0a40dd7bc566a284858613c875c5534f80a7c2afd2c3e503e2385728d131",
-        "maven-3.8.1.tar.xz": "65ea8259df08175343593daf6663e2c8a739d75a8d4ef76f0f7d23e15b06e40a",
+        "maven.tar.xz": "9041ac7dda108625e159504f14e4d42375a1b2f0cf257a3b3c2ec4f0bd910d9e",
         "mockito.tar.xz": "7b35153653525935f7e6a039dbe608a1058b139e9e6b5f3b6d0362ff114fe77f",
         "modello.tar.xz": "be90712a48c4305d9e2ea4d35729d2a2b505ea25512fc3014234d9ac1ec6e46c",
         "mojo-parent-pom.tar.xz": "23e97b26ff8efd391bccd0cf215bb0ec2e7ac6caf2b9394b61766bfb9b110bb7",

SPECS/javapackages-bootstrap/javapackages-bootstrap.signatures.json

@@ -13,7 +13,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.5.0
-Release:        7%{?dist}
+Release:        6%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -87,7 +87,7 @@ Source1057:     maven-parent-pom.tar.xz
 Source1058:     maven-plugin-testing.tar.xz
 Source1059:     maven-plugin-tools.tar.xz
 Source1060:     maven-remote-resources-plugin.tar.xz
-Source1061:     maven-resolver-1.7.0.tar.xz
+Source1061:     maven-resolver.tar.xz
 Source1062:     maven-resources-plugin.tar.xz
 Source1063:     maven-resources.tar.xz
 Source1064:     maven-shared-incremental.tar.xz
@@ -97,7 +97,7 @@ Source1067:     maven-source-plugin.tar.xz
 Source1068:     maven-surefire.tar.xz
 Source1069:     maven-verifier.tar.xz
 Source1070:     maven-wagon.tar.xz
-Source1071:     maven-3.8.1.tar.xz
+Source1071:     maven.tar.xz
 Source1072:     mockito.tar.xz
 Source1073:     modello.tar.xz
 Source1074:     mojo-parent-pom.tar.xz
@@ -141,7 +141,6 @@ Patch1:         0001-Remove-usage-of-ArchiveStreamFactory.patch
 Patch2:         CVE-2023-37460.patch
 Patch3:         Internal-Java-API.patch
 Patch4:         CVE-2021-36373.patch
-Patch5:         CVE-2021-26291.patch
 
 Provides:       bundled(ant) = 1.10.9
 Provides:       bundled(apache-parent) = 23
@@ -203,7 +202,7 @@ Provides:       bundled(maven-parent) = 34
 Provides:       bundled(maven-plugin-testing) = 3.3.0
 Provides:       bundled(maven-plugin-tools) = 3.6.0
 Provides:       bundled(maven-remote-resources-plugin) = 1.7.0
-Provides:       bundled(maven-resolver) = 1.7.0
+Provides:       bundled(maven-resolver) = 1.6.1
 Provides:       bundled(maven-resources-plugin) = 3.2.0
 Provides:       bundled(maven-resources) = 1.4
 Provides:       bundled(maven-shared-incremental) = 1.1
@@ -213,7 +212,7 @@ Provides:       bundled(maven-source-plugin) = 3.2.1
 Provides:       bundled(maven-surefire) = 3.0.0~M3
 Provides:       bundled(maven-verifier) = 1.7.2
 Provides:       bundled(maven-wagon) = 3.4.2
-Provides:       bundled(maven) = 3.8.1
+Provides:       bundled(maven) = 3.6.3
 Provides:       bundled(mockito) = 3.7.13
 Provides:       bundled(modello) = 1.11
 Provides:       bundled(mojo-parent) = 60
@@ -306,8 +305,6 @@ pushd "downstream/ant"
 %patch4 -p1
 popd
 
-%patch5 -p1
-
 # remove guava.xml from javapackage-bootstrap 1.5.0
 # import guava.xml 32.1.3 from Fedora 40
 # edit version from guava.properties
@@ -392,10 +389,6 @@ sed -i 's|/usr/lib/jvm/java-11-openjdk|%{java_home}|' %{buildroot}%{launchersPat
 %doc AUTHORS
 
 %changelog
-* Tue May 13 2025 Kanishk Bansal <[email protected]> - 1.5.0-7
-- Update maven to 3.8.1 and maven-resolver to 1.7.0 to fix CVE-2021-26291
-- Add the CVE-2021-26291.patch to enable these upgrades
-
 * Wed Feb 26 2025 Kshitiz Godara <[email protected]> - 1.5.0-6
 - Patch CVE-2021-36373 and CVE-2021-36374.