diff --git a/.gitignore b/.gitignore
index 52b077b..fe33249 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/jss-4.6.0.tar.gz
+SOURCES/jss-4.6.2.tar.gz
diff --git a/.jss.metadata b/.jss.metadata
index cb4e805..d14bd57 100644
--- a/.jss.metadata
+++ b/.jss.metadata
@@ -1 +1 @@
-3d6d2d885129e0d7d8ebac5dfe9055c693a7a9b1 SOURCES/jss-4.6.0.tar.gz
+4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz
diff --git a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch b/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
new file mode 100644
index 0000000..529b576
--- /dev/null
+++ b/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
@@ -0,0 +1,53 @@
+From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 29 Oct 2019 10:43:56 -0400
+Subject: [PATCH] Fix NativeProxy reference tracker
+
+In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
+setting mPointer after trying to add NativeProxy to the registry. In
+most instances this won't matter, however, if another instance exists in
+the HashSet with the same hash value, the equals comparator will be
+used, triggering a NPE.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
+index 1c6d1aa5..a0811f76 100644
+--- a/org/mozilla/jss/util/NativeProxy.java
++++ b/org/mozilla/jss/util/NativeProxy.java
+@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
+      */
+     public NativeProxy(byte[] pointer) {
+ 		assert(pointer!=null);
+-        registry.add(this);
+         mPointer = pointer;
++        registry.add(this);
+ 
+         if (saveStacktraces) {
+             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
+@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
+         if( ! (obj instanceof NativeProxy) ) {
+             return false;
+         }
+-        if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
++        if (((NativeProxy)obj).mPointer == null) {
++            /* If mPointer is null, we have no way to compare the values
++             * of the pointers, so assume they're unequal. */
+             return false;
+         }
+-        for(int i=0; i < mPointer.length; i++) {
+-            if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
+-                return false;
+-            }
+-        }
+-        return true;
++        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
+     }
+ 
+     /**
+-- 
+2.21.0
+
diff --git a/SOURCES/jss-disable-buffer-based-tests.patch b/SOURCES/jss-disable-buffer-based-tests.patch
deleted file mode 100644
index f39763a..0000000
--- a/SOURCES/jss-disable-buffer-based-tests.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From d7d6d769b510118e40d9c0919317665c4c9feb8d Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <alexander.m.scheel@gmail.com>
-Date: Wed, 12 Jun 2019 17:17:45 -0400
-Subject: [PATCH] Disable buffer-based tests
-
-Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
----
- cmake/JSSTests.cmake | 33 ---------------------------------
- 1 file changed, 33 deletions(-)
-
-diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
-index b389be5c..473d7d4d 100644
---- a/cmake/JSSTests.cmake
-+++ b/cmake/JSSTests.cmake
-@@ -78,24 +78,6 @@ macro(jss_tests)
-         NAME "BigObjectIdentifier"
-         COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
-     )
--    jss_test_java(
--        NAME "JSS_Test_PR_FileDesc"
--        COMMAND "org.mozilla.jss.tests.TestPRFD"
--    )
--    jss_test_java(
--        NAME "JSS_Test_Raw_SSL"
--        COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
--        DEPENDS "Setup_DBs"
--    )
--    jss_test_java(
--        NAME "JSS_Test_Buffer"
--        COMMAND "org.mozilla.jss.tests.TestBuffer"
--    )
--    jss_test_java(
--        NAME "JSS_Test_BufferPRFD"
--        COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
--        DEPENDS "List_CA_certs"
--    )
-     if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
-         jss_test_java(
-             NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
-@@ -126,16 +108,6 @@ macro(jss_tests)
-         NAME "JUnit_UTF8StringTest"
-         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
-     )
--    jss_test_exec(
--        NAME "buffer_size_1"
--        COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
--        DEPENDS "generate_c_buffer_size_1"
--    )
--    jss_test_exec(
--        NAME "buffer_size_4"
--        COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
--        DEPENDS "generate_c_buffer_size_4"
--    )
-     jss_test_java(
-         NAME "JUnit_ChainSortingTest"
-         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
-@@ -180,11 +152,6 @@ macro(jss_tests)
-         COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
-         DEPENDS "List_CA_certs"
-     )
--    jss_test_exec(
--        NAME "TestBufferPRFD"
--        COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
--        DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
--    )
-     jss_test_java(
-         NAME "Key_Generation"
-         COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
--- 
-2.21.0
-
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 8b0964b..02cceb3 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -6,7 +6,7 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.6.0
+Version:        4.6.2
 Release:        2%{?_timestamp}%{?_commit_id}%{?dist}
 # global         _phase -a1
 
@@ -24,7 +24,8 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     --stdout \
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
-Patch: jss-disable-buffer-based-tests.patch
+# Patch: jss-VERSION-RELEASE.patch
+Patch: 0001-Fix-NativeProxy-reference-tracker.patch
 
 ################################################################################
 # Build Dependencies
@@ -81,7 +82,6 @@ This only works with gcj. Other JREs require that JCE providers be signed.
 ################################################################################
 
 Summary:        Java Security Services (JSS) Javadocs
-Group:          Documentation
 Requires:       jss = %{version}-%{release}
 
 %description javadoc
@@ -106,6 +106,9 @@ export BUILD_OPT=1
 CFLAGS="-g $RPM_OPT_FLAGS"
 export CFLAGS
 
+# Check if we're in FIPS mode
+modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+
 # The Makefile is not thread-safe
 rm -rf build && mkdir -p build && cd build
 %cmake \
@@ -157,33 +160,46 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
-* Wed Jun 12 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.6.0-2
+* Tue Oct 29 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-2
+- Red Hat Bugzilla #1730767 - JSS: Wrap NSS CMAC + KDF implementations
+- Rebased to JSS 4.6.2
+
+* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
+- Red Hat Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
+
+* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
+- Red Hat Bugzilla #1698059 - pki-core implements crypto
+
+* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
+- Red Hat Bugzilla #1721135 - JSS - LD_FLAGS support
+
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
 - Minor updates to release
 
-* Wed Jun 12 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.6.0-1
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-1
 - Rebased to JSS 4.6.0
 
-* Thu Apr 25 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.5.3-1
+* Thu Apr 25 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.3-1
 - Rebased to JSS 4.5.3
 
-* Fri Aug 10 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-1
+* Fri Aug 10 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-1
 - Rebased to JSS 4.5.0
 
-* Tue Aug 07 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.6
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.6
 - Rebased to JSS 4.5.0-b1
 
-* Tue Aug 07 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.5
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.5
 - Red Hat Bugzilla #1612063 - Do not override system crypto policy (support TLS 1.3)
 
-* Fri Jul 20 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.4
+* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.4
 - Rebased to JSS 4.5.0-a4
 - Red Hat Bugzilla #1604462 - jss: FTBFS in Fedora rawhide
 
-* Thu Jul 05 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.3
+* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.3
 - Rebased to JSS 4.5.0-a3
 
-* Fri Jun 22 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.2
+* Fri Jun 22 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.2
 - Rebased to JSS 4.5.0-a2
 
-* Fri Jun 15 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.1
+* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.1
 - Rebased to JSS 4.5.0-a1