diff --git a/0003-CVE-2024-34447.patch b/0003-CVE-2024-34447.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f59983f1b3639b1e678c4b9c7350563897f39544
--- /dev/null
+++ b/0003-CVE-2024-34447.patch
@@ -0,0 +1,214 @@
+From c47f6444a744396135322784b5fea1d35d46a8a7 Mon Sep 17 00:00:00 2001
+From: Peter Dettman <peter.dettman@bouncycastle.org>
+Date: Wed, 3 Apr 2024 21:24:27 +0700
+Subject: [PATCH] BCJSSE: Improved workaround for InetAddress limitation
+
+- URLConnectionUtil now calls BCSSLSocket.setHost instead of direct SNI config
+---
+ .../jsse/provider/ProvSSLSocketDirect.java    | 14 ++--
+ .../jsse/provider/ProvSSLSocketWrap.java      | 14 ++--
+ .../jsse/util/SetHostSocketFactory.java       | 80 +++++++++++++++++++
+ .../jsse/util/URLConnectionUtil.java          |  2 +-
+ 4 files changed, 99 insertions(+), 11 deletions(-)
+ create mode 100644 tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
+
+diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
+index fe2d7138c1..245b1eb461 100644
+--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
+@@ -345,7 +345,6 @@ public synchronized void setEnableSessionCreation(boolean flag)
+     public synchronized void setHost(String host)
+     {
+         this.peerHost = host;
+-        this.peerHostSNI = host;
+     }
+ 
+     @Override
+@@ -531,6 +530,7 @@ synchronized void notifyConnected()
+         InetAddress peerAddress = getInetAddress();
+         if (null == peerAddress)
+         {
++            this.peerHostSNI = null;
+             return;
+         }
+ 
+@@ -538,8 +538,8 @@ synchronized void notifyConnected()
+          * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be
+          * usable as a default SNI host_name.
+          */
+-//        String originalHostName = null;
+-//        if (null != originalHostName)
++//        String originalHostName = peerAddress.holder().getOriginalHostName();
++//        if (JsseUtils.isNameSpecified(originalHostName))
+ //        {
+ //            this.peerHost = originalHostName;
+ //            this.peerHostSNI = originalHostName;
+@@ -555,13 +555,17 @@ synchronized void notifyConnected()
+             return;
+         }
+ 
+-        if (useClientMode && provJdkTlsTrustNameService)
++        if (!useClientMode)
++        {
++            this.peerHost = peerAddress.getHostAddress();
++        }
++        else if (provJdkTlsTrustNameService)
+         {
+             this.peerHost = peerAddress.getHostName();
+         }
+         else
+         {
+-            this.peerHost = peerAddress.getHostAddress();
++            this.peerHost = null;
+         }
+ 
+         this.peerHostSNI = null;
+diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
+index b31f215289..59fabd7bb4 100644
+--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
+@@ -470,7 +470,6 @@ public synchronized void setEnableSessionCreation(boolean flag)
+     public synchronized void setHost(String host)
+     {
+         this.peerHost = host;
+-        this.peerHostSNI = host;
+     }
+ 
+     @Override
+@@ -720,6 +719,7 @@ synchronized void notifyConnected()
+         InetAddress peerAddress = getInetAddress();
+         if (null == peerAddress)
+         {
++            this.peerHostSNI = null;
+             return;
+         }
+ 
+@@ -727,8 +727,8 @@ synchronized void notifyConnected()
+          * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be
+          * usable as a default SNI host_name.
+          */
+-//        String originalHostName = null;
+-//        if (null != originalHostName)
++//        String originalHostName = peerAddress.holder().getOriginalHostName();
++//        if (JsseUtils.isNameSpecified(originalHostName))
+ //        {
+ //            this.peerHost = originalHostName;
+ //            this.peerHostSNI = originalHostName;
+@@ -744,13 +744,17 @@ synchronized void notifyConnected()
+             return;
+         }
+ 
+-        if (useClientMode && provJdkTlsTrustNameService)
++        if (!useClientMode)
++        {
++            this.peerHost = peerAddress.getHostAddress();
++        }
++        else if (provJdkTlsTrustNameService)
+         {
+             this.peerHost = peerAddress.getHostName();
+         }
+         else
+         {
+-            this.peerHost = peerAddress.getHostAddress();
++            this.peerHost = null;
+         }
+ 
+         this.peerHostSNI = null;
+diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
+new file mode 100644
+index 0000000000..0eeccaf367
+--- /dev/null
++++ b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
+@@ -0,0 +1,80 @@
++package org.bouncycastle.jsse.util;
++
++import java.net.Socket;
++import java.net.URL;
++import java.util.concurrent.Callable;
++import java.util.logging.Logger;
++
++import javax.net.SocketFactory;
++import javax.net.ssl.SSLSocketFactory;
++
++import org.bouncycastle.jsse.BCSSLSocket;
++
++public class SetHostSocketFactory extends CustomSSLSocketFactory
++{
++    private static final Logger LOG = Logger.getLogger(SetHostSocketFactory.class.getName());
++
++    protected static final ThreadLocal<SetHostSocketFactory> threadLocal = new ThreadLocal<SetHostSocketFactory>();
++
++    /**
++     * Signature matches {@link SSLSocketFactory#getDefault()} so that it can be
++     * used with e.g. the "java.naming.ldap.factory.socket" property or similar.
++     * 
++     * @see #call(Callable)
++     */
++    public static SocketFactory getDefault()
++    {
++        SSLSocketFactory sslSocketFactory = threadLocal.get();
++        if (null != sslSocketFactory)
++        {
++            return sslSocketFactory;
++        }
++
++        return SSLSocketFactory.getDefault();
++    }
++
++    protected final URL url;
++
++    public SetHostSocketFactory(SSLSocketFactory delegate, URL url)
++    {
++        super(delegate);
++
++        this.url = url;
++    }
++
++    /**
++     * Calls a {@link Callable} in a context where this class's static
++     * {@link #getDefault()} method will return this {@link SetHostSocketFactory}.
++     */
++    public <V> V call(Callable<V> callable) throws Exception
++    {
++        try
++        {
++            threadLocal.set(this);
++
++            return callable.call();
++        }
++        finally
++        {
++            threadLocal.remove();
++        }
++    }
++
++    @Override
++    protected Socket configureSocket(Socket s)
++    {
++        if (url != null && s instanceof BCSSLSocket)
++        {
++            BCSSLSocket ssl = (BCSSLSocket)s;
++
++            String host = url.getHost();
++            if (host != null)
++            {
++                LOG.fine("Setting host on socket: " + host);
++
++                ssl.setHost(host);
++            }
++        }
++        return s;
++    }
++}
+diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
+index 63a7db5a0b..6eb4861f2d 100644
+--- a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
++++ b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
+@@ -66,6 +66,6 @@ protected URLConnection configureConnection(URL url, URLConnection connection)
+ 
+     protected SSLSocketFactory createSSLSocketFactory(SSLSocketFactory delegate, URL url)
+     {
+-        return new SNISocketFactory(delegate, url);
++        return new SetHostSocketFactory(delegate, url);
+     }
+ }
diff --git a/bouncycastle.spec b/bouncycastle.spec
index 10f96d5d2cd262a4bb78b47e12e12a44299f00d3..6cae7e5bd710ed00392cd6430a8ec3a21fb52bc2 100644
--- a/bouncycastle.spec
+++ b/bouncycastle.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 
 %global gittag r1rv70
 %global classname org.bouncycastle.jce.provider.BouncyCastleProvider
@@ -26,7 +26,8 @@ Source7:          get-poms.sh
 # Backport fix for regression in bouncycastle 1.70
 Patch0:           0001-added-back-support-for-subject-key-identifier-check-.patch
 Patch1:           0002-CVE-2023-33201.patch
-
+# From https://kkgithub.com/bcgit/bc-java/commit/c47f6444a744396135322784b5fea1d35d46a8a7
+Patch2:           0003-CVE-2024-34447.patch
 BuildArch:        noarch
 ExclusiveArch:  %{java_arches} noarch
 
@@ -97,7 +98,6 @@ API documentation for the Bouncy Castle Cryptography APIs.
 %setup -q -n bc-java-%{gittag}
 %patch 0 -p1
 %patch 1 -p1
-
 # Remove bundled binary libs
 find . -type f -name "*.class" -exec rm -f {} \;
 find . -type f -name "*.jar" -exec rm -f {} \;
@@ -222,6 +222,9 @@ fi
 %license LICENSE.html
 
 %changelog
+* Mon Jun 16 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 1.70-4
+- add patch to fix CVE-2024-34447
+
 * Tue Apr 22 2025 wh02252983 <wh02252983@alibaba-inc.com> - 1.70-3
 - Fix CVE-2023-33201