import java-1.8.0-openjdk-1.8.0.372.b07-1.el8_7

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz

.java-1.8.0-openjdk.metadata

@@ -1,2 +1,2 @@
-10817d699dd7c85b03cfbd8eb820e00b19ddcae7 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz
+3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

SOURCES/NEWS

@@ -3,6 +3,210 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u372 (2023-04-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u372
+
+* CVEs
+  - CVE-2023-21930
+  - CVE-2023-21937
+  - CVE-2023-21938
+  - CVE-2023-21939
+  - CVE-2023-21954
+  - CVE-2023-21967
+  - CVE-2023-21968
+* Security fixes
+  - JDK-8287404: Improve ping times
+  - JDK-8288436: Improve Xalan supports
+  - JDK-8294474: Better AES support
+  - JDK-8295304: Runtime support improvements
+  - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation
+  - JDK-8296676, JDK-8296622: Improve String platform support
+  - JDK-8296684: Improve String platform support
+  - JDK-8296692: Improve String platform support
+  - JDK-8296700: Improve String platform support
+  - JDK-8296832: Improve Swing platform support
+  - JDK-8297371: Improve UTF8 representation redux
+  - JDK-8298191: Enhance object reclamation process
+  - JDK-8298310: Enhance TLS session negotiation
+  - JDK-8298667: Improved path handling
+  - JDK-8299129: Enhance NameService lookups
+* New features
+  - JDK-8230305: Cgroups v2: Container awareness
+* Other changes
+  - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html
+  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
+  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+  - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be
+  - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation
+  - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java
+  - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows
+  - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
+  - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB
+  - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error
+  - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
+  - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu
+  - JDK-8156579: Two JavaBeans tests failed
+  - JDK-8156581: Cleanup of ProblemList.txt
+  - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
+  - JDK-8177560: @headful key can be removed from the tests for JavaSound
+  - JDK-8196196: Headful tests should not be run in headless mode
+  - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails
+  - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp
+  - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow
+  - JDK-8205959: Do not restart close if errno is EINTR
+  - JDK-8216366: Add rationale to PER_CPU_SHARES define
+  - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails
+  - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes)
+  - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12
+  - JDK-8229202: Docker reporting causes secondary crashes in error handling
+  - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+  - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation
+  - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
+  - JDK-8234484: Add ability to configure third port for remote JMX
+  - JDK-8237479: 8230305 causes slowdebug build failure
+  - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+  - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+  - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
+  - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
+  - JDK-8242468: VS2019 build missing vcruntime140_1.dll
+  - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
+  - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+  - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+  - JDK-8245654: Add Certigna Root CA
+  - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows
+  - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
+  - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+  - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+  - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+  - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+  - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+  - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
+  - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+  - JDK-8257620: Do not use objc_msgSend_stret to get macOS version
+  - JDK-8262379: Add regression test for JDK-8257746
+  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
+  - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+  - JDK-8270317: Large Allocation in CipherSuite
+  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
+  - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
+  - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+  - JDK-8280048: Missing comma in copyright header
+  - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
+  - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
+  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
+  - JDK-8283277: ISO 4217 Amendment 171 Update
+  - JDK-8283606: Tests may fail with zh locale on MacOS
+  - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
+  - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
+  - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
+  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+  - JDK-8287109: Distrust.java failed with CertificateExpiredException
+  - JDK-8287463: JFR: Disable TestDevNull.java on Windows
+  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+  - JDK-8289549: ISO 4217 Amendment 172 Update
+  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
+  - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u
+  - JDK-8292083: Detected container memory limit may exceed physical machine memory
+  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
+  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
+  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
+  - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings
+  - JDK-8294307: ISO 4217 Amendment 173 Update
+  - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features
+  - JDK-8295322: Tests for JDK-8271459 were not backported to 11u
+  - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
+  - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process
+  - JDK-8296239: ISO 4217 Amendment 174 Update
+  - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
+  - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
+  - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
+  - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
+  - JDK-8297329: [8u] hotspot needs to recognise VS2019
+  - JDK-8297739: Bump update version of OpenJDK: 8u372
+  - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's
+  - JDK-8298027: Remove SCCS id's from awt jtreg tests
+  - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u
+  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+  - JDK-8299445: EndingDotHostname.java fails because of compilation errors
+  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+  - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u
+  - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u
+  - JDK-8300014: Some backports placed the tests in the wrong location
+  - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems
+  - JDK-8301122: [8u] Fix unreliable vs2010 download link
+  - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper
+  - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig
+  - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport
+  - JDK-8301550: [8u] Enable additional linux build testing in GitHub
+  - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors
+  - JDK-8301760: Fix possible leak in SpNegoContext dispose
+  - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391
+  - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391
+  - JDK-8304053: Revert os specific stubs for SystemMetrics
+  - JDK-8305113: (tz) Update Timezone Data to 2023c
+
+Notes on individual issues:
+===========================
+
+hotspot:
+core-libs:
+
+JDK-8305562: Cgroups v2: Container awareness
+============================================
+The HotSpot runtime code as well as the core libraries code in the JDK
+has been updated in order to detect a cgroup v2 host system when
+running OpenJDK within a Linux container.
+
+Since the 8u202 release of OpenJDK, the container detection code
+recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later
+releases, both versions of the underlying cgroups pseudo filesystem
+will be detected and corresponding container limits applied to the
+OpenJDK runtime.
+
+Without this enhancement, OpenJDK would not apply container resource
+limits when running on a cgroup v2 Linux host system, but would use
+the underlying hosts' resource limits instead.
+
+client-libs/javax.swing:
+
+JDK-8296832: Improve Swing platform support
+===========================================
+Earlier OpenJDK releases would always render HTML object tags embedded in
+Swing HTML components. With this release, rendering only occurs when the
+new system property "swing.html.object" is set to true. By default, it
+is set to false.
+
+core-svc/javax.management:
+
+JDK-8234484: Added Ability to Configure Third Port for Remote JMX
+=================================================================
+A local access port can now be configured for JMX connections by
+setting the property `com.sun.management.jmxremote.local.port`. This
+local port was previously selected at random, which could lead to port
+collisions. The property works in the same way as the existing
+properties for configuring the remote access port
+(`com.sun.management.jmxremote.port`) and the RMI port
+(`com.sun.management.jmxremote.rmi.port`)
+
+security-libs/java.security:
+
+JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate
+==========================================================
+The following root certificate has been added to the cacerts truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR
+
 New in release OpenJDK 8u362 (2023-01-17):
 ===========================================
 Live versions of these release notes can be found at:

SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch

@@ -0,0 +1,167 @@
+commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
+Author: Alexey Bakhtin <abakhtin@openjdk.org>
+Date:   Tue Apr 4 10:29:11 2023 +0000
+
+    8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+    
+    Reviewed-by: andrew, mbalao
+    Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
+
+diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+index a79e97d7c74..5378446b97b 100644
+--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
++++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
+     @Override
+     protected void engineInitVerify(PublicKey publicKey)
+             throws InvalidKeyException {
+-        if (!(publicKey instanceof RSAPublicKey)) {
++        if (publicKey instanceof RSAPublicKey) {
++            RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
++            isPublicKeyValid(rsaPubKey);
++            this.pubKey = rsaPubKey;
++            this.privKey = null;
++            resetDigest();
++        } else {
+             throw new InvalidKeyException("key must be RSAPublicKey");
+         }
+-        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
+-        this.privKey = null;
+-        resetDigest();
+     }
+ 
+     // initialize for signing. See JCA doc
+@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
+     @Override
+     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
+             throws InvalidKeyException {
+-        if (!(privateKey instanceof RSAPrivateKey)) {
++        if (privateKey instanceof RSAPrivateKey) {
++            RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
++            isPrivateKeyValid(rsaPrivateKey);
++            this.privKey = rsaPrivateKey;
++            this.pubKey = null;
++            this.random =
++                    (random == null ? JCAUtil.getSecureRandom() : random);
++            resetDigest();
++        } else {
+             throw new InvalidKeyException("key must be RSAPrivateKey");
+         }
+-        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
+-        this.pubKey = null;
+-        this.random =
+-            (random == null? JCAUtil.getSecureRandom() : random);
+-        resetDigest();
+     }
+ 
+     /**
+@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
+         }
+     }
+ 
++    /**
++     * Validate the specified RSAPrivateKey
++     */
++    private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
++        try {
++            if (prKey instanceof RSAPrivateCrtKey) {
++                RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
++                if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
++                    RSAKeyFactory.checkRSAProviderKeyLengths(
++                            crtKey.getModulus().bitLength(),
++                            crtKey.getPublicExponent());
++                } else {
++                    throw new InvalidKeyException(
++                            "Some of the CRT-specific components are not available");
++                }
++            } else {
++                RSAKeyFactory.checkRSAProviderKeyLengths(
++                        prKey.getModulus().bitLength(),
++                        null);
++            }
++        } catch (InvalidKeyException ikEx) {
++            throw ikEx;
++        } catch (Exception e) {
++            throw new InvalidKeyException(
++                    "Can not access private key components", e);
++        }
++        isValid(prKey);
++    }
++
++    /**
++     * Validate the specified RSAPublicKey
++     */
++    private void isPublicKeyValid(RSAPublicKey pKey)  throws InvalidKeyException {
++        try {
++            RSAKeyFactory.checkRSAProviderKeyLengths(
++                    pKey.getModulus().bitLength(),
++                    pKey.getPublicExponent());
++        } catch (InvalidKeyException ikEx) {
++            throw ikEx;
++        } catch (Exception e) {
++            throw new InvalidKeyException(
++                    "Can not access public key components", e);
++        }
++        isValid(pKey);
++    }
++
+     /**
+      * Validate the specified RSAKey and its associated parameters against
+      * internal signature parameters.
+      */
+-    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
++    private void isValid(RSAKey rsaKey) throws InvalidKeyException {
+         try {
+             AlgorithmParameterSpec keyParams = rsaKey.getParams();
+             // validate key parameters
+@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
+                 }
+                 checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
+             }
+-            return rsaKey;
+         } catch (SignatureException e) {
+             throw new InvalidKeyException(e);
+         }
+diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+index 6b219937981..b3c1fae9672 100644
+--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
++++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
+         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
+         // check all CRT-specific components are available, if any one
+         // missing, return a non-CRT key instead
+-        if ((key.getPublicExponent().signum() == 0) ||
+-            (key.getPrimeExponentP().signum() == 0) ||
+-            (key.getPrimeExponentQ().signum() == 0) ||
+-            (key.getPrimeP().signum() == 0) ||
+-            (key.getPrimeQ().signum() == 0) ||
+-            (key.getCrtCoefficient().signum() == 0)) {
++        if (checkComponents(key)) {
++            return key;
++        } else {
+             return new RSAPrivateKeyImpl(
+                 key.algid,
+                 key.getModulus(),
+-                key.getPrivateExponent()
+-            );
+-        } else {
+-            return key;
++                key.getPrivateExponent());
+         }
+     }
+ 
++    /**
++     * Validate if all CRT-specific components are available.
++     */
++    static boolean checkComponents(RSAPrivateCrtKey key) {
++        return !((key.getPublicExponent().signum() == 0) ||
++            (key.getPrimeExponentP().signum() == 0) ||
++            (key.getPrimeExponentQ().signum() == 0) ||
++            (key.getPrimeP().signum() == 0) ||
++            (key.getPrimeQ().signum() == 0) ||
++            (key.getCrtCoefficient().signum() == 0));
++    }
++
+     /**
+      * Generate a new key from the specified type and components.
+      * Returns a CRT key if possible and a non-CRT key otherwise.

SOURCES/jdk8275535-rh2053256-ldap_auth.patch

@@ -1,26 +0,0 @@
-diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index cf4becb7db..4ab2ac0a31 100644
---- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-                     ctx = getLdapCtxFromUrl(
-                             r.getDomainName(), url, new LdapURL(u), env);
-                     return ctx;
-+                } catch (AuthenticationException e) {
-+                    // do not retry on a different endpoint to avoid blocking
-+                    // the user if authentication credentials are wrong.
-+                    throw e;
-                 } catch (NamingException e) {
-                     // try the next element
-                     lastException = e;
-@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-         for (String u : urls) {
-             try {
-                 return getUsingURL(u, env);
-+            } catch (AuthenticationException e) {
-+                // do not retry on a different URL to avoid blocking
-+                // the user if authentication credentials are wrong.
-+                throw e;
-             } catch (NamingException e) {
-                 ex = e;
-             }

SPECS/java-1.8.0-openjdk.spec

@@ -313,7 +313,7 @@
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
 %global shenandoah_project      openjdk
 %global shenandoah_repo         shenandoah-jdk8u
-%global openjdk_revision        jdk8u362-b09
+%global openjdk_revision        jdk8u372-b07
 %global shenandoah_revision     shenandoah-%{openjdk_revision}
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
@@ -334,7 +334,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      1
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -1403,8 +1403,6 @@ Patch539: pr2888-rh2055274-support_system_cacerts-%{cacertsver}.patch
 Patch600: rh1750419-redhat_alt_java.patch
 # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
 Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
-# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
-Patch113: jdk8275535-rh2053256-ldap_auth.patch
 
 #############################################
 #
@@ -1452,13 +1450,15 @@ Patch581: jdk8257794-remove_broken_assert.patch
 
 #############################################
 #
-# Patches appearing in 8u362
+# Patches appearing in 8u382
 #
 # This section includes patches which are present
 # in the listed OpenJDK 8u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
+# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
 
 #############################################
 #
@@ -1527,8 +1527,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2022g required as of JDK-8297804
+# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2022g
+BuildRequires: tzdata-java >= 2023c
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1878,7 +1878,6 @@ sh %{SOURCE12}
 %patch574
 %patch112
 %patch581
-%patch113
 
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
@@ -1887,6 +1886,8 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # system cacerts support
 %patch539 -p1
+# 8u382 fix
+%patch2001 -p1
 popd
 
 # RPM-only fixes
@@ -2694,6 +2695,18 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Apr 18 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.372.b07-1
+- Update to shenandoah-jdk8u372-b07 (GA)
+- Update release notes for shenandoah-8u372-b07.
+- Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Drop JDK-8275535/RH2053256 patch which is now upstream
+- Include JDK-8271199 backport early ahead of 8u382 (RH2175317)
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+
 * Tue Jan 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b09-2
 - Update cacerts patch to fix OPENJDK-1433 SecurityManager issue
 - Update to shenandoah-jdk8u352-b09 (GA)