14 changed files with 1500 additions and 10248 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/shenandoah8u432-b06.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@ -1,2 +1,2 @@
-af2d3b85c48ecc8c22188ac687e6160658ef6aca SOURCES/shenandoah8u432-b06.tar.xz
+3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@ -3,889 +3,6 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 New in release OpenJDK 8u432 (2024-10-15):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u432
 * CVEs
  - CVE-2024-21208
  - CVE-2024-21210
  - CVE-2024-21217
  - CVE-2024-21235
 * Security fixes
  - JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
  - JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
  - JDK-8328286: Enhance HTTP client
  - JDK-8328544: Improve handling of vectorization
  - JDK-8328726: Better Kerberos support
  - JDK-8331446: Improve deserialization support
  - JDK-8332644: Improve graph optimizations
  - JDK-8335713: Enhance vectorization analysis
 * Other changes
  - JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
  - JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
  - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
  - JDK-8021775: compiler/8009761/Test8009761.java  "Failed: init recursive calls: 51. After deopt 50"
  - JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
  - JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option
  - JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use
  - JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
  - JDK-8137329: [windows] Build broken on VS2010 after  "8046148: JEP 158: Unified JVM Logging"
  - JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
  - JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
  - JDK-8193682: Infinite loop in ZipOutputStream.close()
  - JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
  - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
  - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
  - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
  - JDK-8251188: Update LDAP tests not to use wildcard addresses
  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
  - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
  - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
  - JDK-8279164: Disable TLS_ECDH_* cipher suites
  - JDK-8281096: Flags introduced by configure script are not passed to ADLC build
  - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
  - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
  - JDK-8299677: Formatter.format might take a long time to format an integer or floating-point
  - JDK-8305400: ISO 4217 Amendment 175 Update
  - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
  - JDK-8307779: Relax the java.awt.Robot specification
  - JDK-8309138: Fix container tests for jdks with symlinked conf dir
  - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
  - JDK-8315117: Update Zlib Data Compression Library to Version 1.3
  - JDK-8315863: [GHA] Update checkout action to use v4
  - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes
  - JDK-8318039: GHA: Bump macOS and Xcode versions
  - JDK-8318951: Additional negative value check in JPEG decoding
  - JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese
  - JDK-8321480: ISO 4217 Amendment 176 Update
  - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1
  - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16
  - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1
  - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
  - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out
  - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
  - JDK-8330415: Update system property for Java SE specification maintenance version
  - JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
  - JDK-8333126: Bump update version of OpenJDK: 8u432
  - JDK-8333669: [8u] GHA: Dead VS2010 download link
  - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
  - JDK-8334653: ISO 4217 Amendment 177 Update
  - JDK-8334905: [8u] The test java/awt/Mixing/AWT_Mixing/JButtonOverlapping.java started to fail after 8159690
  - JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
  - JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
  - JDK-8336928: GHA: Bundle artifacts removal broken
  - JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory
  - JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
  - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
  - JDK-8338144: [8u] Remove duplicate license files
  - JDK-8341057: Add 2 SSL.com TLS roots
  - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
 Notes on individual issues:
 ===========================
 security-libs/javax.net.ssl:
 JDK-8279164: Disable TLS_ECDH_* cipher suites
 =============================================
 The TLS_ECDH cipher suites do not preserve forward secrecy and are
 rarely used in practice. With this release, they are disabled by
 adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in
 the `java.security` configuration file. Attempts to use these suites
 with this release will result in a `SSLHandshakeException` being
 thrown. Note that ECDH cipher suites which use RC4 were already
 disabled prior to this change.
 Users can, *at their own risk*, remove this restriction by modifying
 the `java.security` configuration file (or override it by using the
 `java.security.properties` system property) so "ECDH" is no longer
 listed in the `jdk.tls.disabledAlgorithms` security property.
 This change has no effect on TLS_ECDHE cipher suites, which remain
 enabled by default.
 JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
 JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
 ====================================================================================================
 In accordance with similar plans recently announced by Google and
 Mozilla, the JDK will not trust Transport Layer Security (TLS)
 certificates issued after the 11th of November 2024 which are anchored
 by Entrust root certificates.  This includes certificates branded as
 AffirmTrust, which are managed by Entrust.
 Certificates issued on or before November 11th, 2024 will continue to
 be trusted until they expire.
 If a server's certificate chain is anchored by an affected
 certificate, attempts to negotiate a TLS session will fail with an
 Exception that indicates the trust anchor is not trusted. For example,
 "TLS server certificate issued after 2024-11-11 and anchored by a
 distrusted legacy Entrust root CA: CN=Entrust.net Certification
 Authority (2048), OU=(c) 1999 Entrust.net Limited,
 OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
 O=Entrust.net"
 To check whether a certificate in a JDK keystore is affected by this
 change, you can the `keytool` utility:
 keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
 If any of the certificates in the chain are affected by this change,
 then you will need to update the certificate or contact the
 organisation responsible for managing the certificate.
 These restrictions apply to the following Entrust root certificates
 included in the JDK:
 Alias name: entrustevca [jdk]
 CN=Entrust Root Certification Authority
 OU=(c) 2006 Entrust, Inc.
 OU=www.entrust.net/CPS is incorporated by reference
 O=Entrust, Inc.
 C=US
 SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
 Alias name: entrustrootcaec1 [jdk]
 CN=Entrust Root Certification Authority - EC1
 OU=(c) 2012 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
 Alias name: entrustrootcag2 [jdk]
 CN=Entrust Root Certification Authority - G2
 OU=(c) 2009 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
 Alias name: entrustrootcag4 [jdk]
 CN=Entrust Root Certification Authority - G4
 OU=(c) 2015 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
 Alias name: entrust2048ca [jdk]
 CN=Entrust.net Certification Authority (2048)
 OU=(c) 1999 Entrust.net Limited
 OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
 O=Entrust.net
 SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
 Alias name: affirmtrustcommercialca [jdk]
 CN=AffirmTrust Commercial
 O=AffirmTrust
 C=US
 SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
 Alias name: affirmtrustnetworkingca [jdk]
 CN=AffirmTrust Networking
 O=AffirmTrust
 C=US
 SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
 Alias name: affirmtrustpremiumca [jdk]
 CN=AffirmTrust Premium
 O=AffirmTrust
 C=US
 SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
 Alias name: affirmtrustpremiumeccca [jdk]
 CN=AffirmTrust Premium ECC
 O=AffirmTrust
 C=US
 SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
 Users can, *at their own risk*, remove this restriction by modifying
 the `java.security` configuration file (or override it by using the
 `java.security.properties` system property) so "ENTRUST_TLS" is no
 longer listed in the `jdk.security.caDistrustPolicies` security
 property.
 security-libs/java.security:
 JDK-8341057: Add 2 SSL.com TLS roots
 ====================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: SSL.com
 Alias Name: ssltlsrootecc2022
 Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
 Name: SSL.com
 Alias Name: ssltlsrootrsa2022
 Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
 client-libs:
 JDK-8307779: Relax the java.awt.Robot specification
 ===================================================
 This release of OpenJDK 8 updates to the latest maintenance release of
 the Java 8 specification. This relaxes the specification of three
 methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
 `getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to
 allow these methods to fail when the desktop environment does not
 permit moving the mouse pointer or capturing screen content.
 core-libs/javax.naming:
 JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
 ===============================================================================================================================
 With this OpenJDK release, the JDK implementation of the LDAP provider
 no longer supports the deserialisation of Java objects by
 default. This is achieved by the system property
 `com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
 default.
 Note that this release also increases the scope of the
 `com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
 of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
 The result of this change is that transparent deserialisation of Java
 objects will require an explicit opt-in. Applications that wish to
 reconstruct Java objects and RMI stubs from LDAP attributes will need
 to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
 core-libs/java.net:
 JDK-8328286: Enhance HTTP client
 ================================
 This OpenJDK release limits the maximum header field size accepted by
 the HTTP client within the JDK for all supported versions of the HTTP
 protocol. The header field size is computed as the sum of the size of
 the uncompressed header name, the size of the uncompressed header
 value and a overhead of 32 bytes for each field section line. If a
 peer sends a field section that exceeds this limit, a
 `java.net.ProtocolException` will be raised.
 This release also introduces a new system property,
 `jdk.http.maxHeaderSize`. This property can be used to alter the
 maximum header field size (in bytes) or disable it by setting the
 value to zero or a negative value. The default value is 393,216 bytes
 or 384kB.
 core-libs/java.util.jar:
 JDK-8193682: Infinite loop in ZipOutputStream.close()
 =====================================================
 In previous releases, the `DeflaterOutputStream.close()`,
 `GZIPOutputStream.finish()` and `ZipOutputStream.closeEntry()` methods
 did not close the associated default JDK compressor when an exception
 was thrown during closure.  With this release, the default compressor
 is closed before propogating the Throwable up the stack. In the case
 of `ZipOutputStream`, this only happens when the exception is not a
 `ZipException`.
 New in release OpenJDK 8u422 (2024-07-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u422
 * CVEs
  - CVE-2024-21131
  - CVE-2024-21138
  - CVE-2024-21140
  - CVE-2024-21144
  - CVE-2024-21145
  - CVE-2024-21147
 * Security fixes
  - JDK-8314794: Improve UTF8 String supports
  - JDK-8319859: Better symbol storage
  - JDK-8320097: Improve Image transformations
  - JDK-8320548: Improved loop handling
  - JDK-8322106: Enhance Pack 200 loading
  - JDK-8323231: Improve array management
  - JDK-8323390: Enhance mask blit functionality
  - JDK-8324559: Improve 2D image handling
  - JDK-8325600: Better symbol storage
 * Other changes
  - JDK-8025439: [TEST BUG] [macosx] PrintServiceLookup.lookupPrintServices doesn't work properly since jdk8b105
  - JDK-8069389: CompilerOracle prefix wildcarding is broken for long strings
  - JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/bug7123767.java: number of checked graphics configurations should be limited
  - JDK-8159690: [TESTBUG] Mark headful tests with @key headful.
  - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
  - JDK-8203691: [TESTBUG] Test /runtime/containers/cgroup/PlainRead.java fails
  - JDK-8205407: [windows, vs<2017] C4800 after 8203197
  - JDK-8235834: IBM-943 charset encoder needs updating
  - JDK-8239965: XMLEncoder/Test4625418.java fails due to "Error: Cp943 - can't read properly"
  - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
  - JDK-8256152: tests fail because of ambiguous method resolution
  - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
  - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
  - JDK-8268916: Tests for AffirmTrust roots
  - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
  - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
  - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
  - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
  - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
  - JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL
  - JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM
  - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074
  - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate.
  - JDK-8316138: Add GlobalSign 2 TLS root certificates
  - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows
  - JDK-8320005: Allow loading of shared objects with .a extension on AIX
  - JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
  - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing
  - JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
  - JDK-8326686: Bump update version of OpenJDK: 8u422
  - JDK-8327440: Fix "bad source file" error during beaninfo generation
  - JDK-8328809: [8u] Problem list some CA tests
  - JDK-8328825: Google CAInterop test failures
  - JDK-8329544: [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
  - JDK-8331791: [8u] AIX build break from JDK-8320005 backport
  - JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
  - JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3 ::Identity signature fixes
 Notes on individual issues:
 ===========================
 core-libs/java.net:
 JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
 ===========================================================================
 Two system properties have been added which control the keep alive
 behavior of HttpURLConnection in the case where the server does not
 specify a keep alive time. These are:
 * `http.keepAlive.time.server`
 * `http.keepAlive.time.proxy`
 which control the number of seconds before an idle connection to a
 server or proxy will be closed, respectively. If the server or proxy
 specifies a keep alive time in a "Keep-Alive" response header, this
 will take precedence over the values of these properties.
 security-libs/java.security:
 JDK-8316138: Add GlobalSign 2 TLS root certificates
 ===================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: GlobalSign
 Alias Name: globalsignr46
 Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
 Name: GlobalSign
 Alias Name: globalsigne46
 Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
 New in release OpenJDK 8u412 (2024-04-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u412
 * CVEs
  - CVE-2024-21011
  - CVE-2024-21085
  - CVE-2024-21068
  - CVE-2024-21094
 * Security fixes
  - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
  - JDK-8318340: Improve RSA key implementations
  - JDK-8319851: Improve exception logging
  - JDK-8322114: Improve Pack 200 handling
  - JDK-8322122: Enhance generation of addresses
 * Other changes
  - JDK-8011180: Delete obsolete scripts
  - JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
  - JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
  - JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
  - JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
  - JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
  - JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
  - JDK-8168518: rcache interop with krb5-1.15
  - JDK-8183503: Update hotspot tests to allow for unique test classes directory
  - JDK-8186095: upgrade to jtreg 4.2 b08
  - JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
  - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
  - JDK-8208655: use JTreg skipped status in hotspot tests
  - JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
  - JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
  - JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
  - JDK-8224768: Test ActalisCA.java fails
  - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
  - JDK-8251551: Use .md filename extension for README
  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
  - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error
  - JDK-8270517: Add Zero support for LoongArch
  - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
  - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests
  - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
  - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
  - JDK-8308592: Framework for CA interoperability testing
  - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
  - JDK-8315042: NPE in PKCS7.parseOldSignedData
  - JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
  - JDK-8320713: Bump update version of OpenJDK: 8u412
  - JDK-8321060: [8u] hotspot needs to recognise VS2022
  - JDK-8321408: Add Certainly roots R1 and E1
  - JDK-8322725: (tz) Update Timezone Data to 2023d
  - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
  - JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
  - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
  - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
  - JDK-8324530: Build error with gcc 10
  - JDK-8325150: (tz) Update Timezone Data to 2024a
 Notes on individual issues:
 ===========================
 security-libs/org.ietf.jgss:krb5:
 JDK-8168518: rcache interop with krb5-1.15
 ==========================================
 The hash algorithm used in the Kerberos 5 replay cache file (rcache)
 has been changed from MD5 to SHA256. This is the same algorithm used
 by MIT krb5-1.15 and is interoperable with earlier releases of MIT
 krb5.
 The MD5 algorithm can still be used by setting the new
 jdk.krb5.rcache.useMD5 property to 'true':
 java -Djdk.krb5.rcache.useMD5=true ...
 This is useful where either the system has a coarse clock and has to
 depend on hash values in replay attack detection, or interoperability
 with the rcache files in older versions of OpenJDK is required.
 client-libs/java.awt:
 JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
 =======================================================================
 The java.awt.SystemTray API is used to interact with the system's
 desktop taskbar to provide notifications and may include an icon
 representing an application. The GNOME desktop's support for taskbar
 icons has not worked properly for several years, due to a platform
 bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
 desktops.
 Therefore, in accordance with the SystemTray API specification,
 java.awt.SystemTray.isSupported() will now return false on systems
 that exhibit this bug, which is assumed to be those running a version
 of GNOME Shell below 45.
 The impact of this change is likely to be minimal, as users of the
 SystemTray API should already be able to handle isSupported()
 returning false and the system tray on such platforms has already been
 unsupported for a number of years for all applications.
 security-libs/java.security:
 JDK-8321408: Added Certainly R1 and E1 Root Certificates
 ========================================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Certainly
 Alias Name: certainlyrootr1
 Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US
 Name: Certainly
 Alias Name: certainlyroote1
 Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US
 New in release OpenJDK 8u402 (2024-01-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u402
 * CVEs
  - CVE-2024-20918
  - CVE-2024-20919
  - CVE-2024-20921
  - CVE-2024-20926
  - CVE-2024-20945
  - CVE-2024-20952
 * Security fixes
  - JDK-8308204: Enhanced certificate processing
  - JDK-8314284: Enhance Nashorn performance
  - JDK-8314295: Enhance verification of verifier
  - JDK-8314307: Improve loop handling
  - JDK-8314468: Improve Compiler loops
  - JDK-8316976: Improve signature handling
  - JDK-8317547: Enhance TLS connection support
 * Other changes
  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
  - JDK-8029995: accept yes/no for boolean krb5.conf settings
  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
  - JDK-8176509: Use pandoc for converting build readme to html
  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
  - JDK-8207404: MulticastSocket tests failing on AIX
  - JDK-8212677: X11 default visual support for IM status window on VNC
  - JDK-8239365: ProcessBuilder test modifications for AIX execution
  - JDK-8271838: AmazonCA.java interop test fails
  - JDK-8285398: Cache the results of constraint checks
  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
  - JDK-8307837: [8u] Check step in GHA should also print errors
  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
  - JDK-8315280: Bump update version of OpenJDK: 8u402
  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
  - JDK-8317291: Missing null check for nmethod::is_native_method()
  - JDK-8317373: Add Telia Root CA v2
  - JDK-8317374: Add Let's Encrypt ISRG Root X2
  - JDK-8318759: Add four DigiCert root certificates
  - JDK-8319187: Add three eMudhra emSign roots
  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
 Notes on individual issues:
 ===========================
 security-libs/org.ietf.jgss:krb5:
 JDK-8029995: accept yes/no for boolean krb5.conf settings
 =========================================================
 The krb5.conf configuration file now also accepts "yes" and "no", as
 alternatives to the existing "true" and "false" support, when using
 settings that take boolean values.
 security-libs/java.security:
 JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
 ===============================================================================================================================
 A maximum signature file size property, jdk.jar.maxSignatureFileSize,
 was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
 default of 8MB. This default proved to be too small for some JAR
 files. This release, 8u402, increases it to 16MB.
 JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
 =================================================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Let's Encrypt
 Alias Name: letsencryptisrgx2
 Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
 JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
 =============================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: DigiCert, Inc.
 Alias Name: digicertcseccrootg5
 Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicertcsrsarootg5
 Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicerttlseccrootg5
 Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicerttlsrsarootg5
 Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
 JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
 ============================================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: eMudhra Technologies Limited
 Alias Name: emsignrootcag1
 Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 Name: eMudhra Technologies Limited
 Alias Name: emsigneccrootcag3
 Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 Name: eMudhra Technologies Limited
 Alias Name: emsignrootcag2
 Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 JDK-8317373: Added Telia Root CA v2 Certificate
 ===============================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Telia Root CA v2
 Alias Name: teliarootcav2
 Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
 New in release OpenJDK 8u392 (2023-10-17):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u392
 * CVEs
  - CVE-2023-22067
  - CVE-2023-22081
 * Security fixes
  - JDK-8286503, JDK-8312367: Enhance security classes
  - JDK-8297856: Improve handling of Bidi characters
  - JDK-8303384: Improved communication in CORBA
  - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
  - JDK-8309966: Enhanced TLS connections
 * Other changes
  - JDK-6722928: Provide a default native GSS-API library on Windows
  - JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
  - JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
  - JDK-8139348: Deprecate 3DES and RC4 in Kerberos
  - JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
  - JDK-8200468: Port the native GSS-API bridge to Windows
  - JDK-8202952: C2: Unexpected dead nodes after matching
  - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
  - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
  - JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
  - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
  - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
  - JDK-8232225: Rework the fix for JDK-8071483
  - JDK-8242330: Arrays should be cloned in several JAAS Callback classes
  - JDK-8253269: The CheckCommonColors test should provide more info on failure
  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
  - JDK-8284910: Buffer clean in PasswordCallback
  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
  - JDK-8287663: Add a regression test for JDK-8287073
  - JDK-8295685: Update Libpng to 1.6.38
  - JDK-8295894: Remove SECOM certificate that is expiring in September 2023
  - JDK-8308788: [8u] Remove duplicate HaricaCA.java test
  - JDK-8309122: Bump update version of OpenJDK: 8u392
  - JDK-8309143: [8u] fix archiving inconsistencies in GHA
  - JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
  - JDK-8314960: Add Certigna Root CA - 2
  - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
  - JDK-8317040: Exclude cleaner test failing on older releases
 Notes on individual issues:
 ===========================
 other-libs/corba:idl:
 JDK-8303384: Improved communication in CORBA
 ============================================
 The JDK's CORBA implementation now provides the option to limit
 serialisation in stub objects to those with the "IOR:" prefix.  For
 ORB constrained stub classes:
 * _DynArrayStub
 * _DynEnumStub
 * _DynFixedStub
 * _DynSequenceStub
 * _DynStructStub
 * _DynUnionStub
 * _DynValueStub
 * _DynAnyStub
 * _DynAnyFactoryStub
 this is enabled by default and may be disabled by setting the system
 property org.omg.DynamicAny.disableIORCheck to 'true'.
 For remote service stub classes:
 * _NamingContextStub
 * _BindingIteratorStub
 * _NamingContextExtStub
 * _ServantActivatorStub
 * _ServantLocatorStub
 * _ServerManagerStub
 * _ActivatorStub
 * _RepositoryStub
 * _InitialNameServiceStub
 * _LocatorStub
 * _ServerStub
 it is disabled by default and may be enabled by setting the system
 property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
 security-libs/org.ietf.jgss:
 JDK-6722928: Added a Default Native GSS-API Library on Windows
 ==============================================================
 A native GSS-API library named `sspi_bridge.dll` has been added to the
 JDK on the Windows platform.  As with native GSS-API library provision
 on other operating systems, it will only be loaded when the
 `sun.security.jgss.native` system property is set to "true". A user
 can still load a third-party native GSS-API library instead by setting
 the `sun.security.jgss.lib` system property to the appropriate path.
 The library is client-side only and uses the default credentials.
 Native GSS support automatically uses cached credentials from the
 underlying operating system, so the
 `javax.security.auth.useSubjectCredsOnly` system property should be
 set to false.
 The `com.sun.security.auth.module.Krb5LoginModule` does not call
 native JGSS and so its use in your JAAS config should be avoided.
 security-libs/org.ietf.jgss:krb5:
 JDK-8139348: Deprecate 3DES and RC4 in Kerberos
 ===============================================
 The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
 are now deprecated and disabled by default.  To re-enable them, you
 can either enable all weak crypto (which also includes `des-cbc-crc`
 and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
 `krb5.conf` configuration file or explicitly list all the preferred
 encryption types using the `default_tkt_enctypes`,
 `default_tgs_enctypes`, or `permitted_enctypes` settings.
 security-libs/java.security:
 JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
 ==================================================================
 The following root certificate from SECOM Trust System has been
 removed from the `cacerts` keystore:
 Alias Name: secomscrootca1 [jdk]
 Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
 JDK-8314960: Added Certigna Root CA Certificate
 ===============================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Certigna (Dhimyotis)
 Alias Name: certignarootca
 Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
 security-libs/javax.security:
 JDK-8242330: Arrays should be cloned in several JAAS Callback classes
 =====================================================================
 In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
 were not cloned when passed into a constructor or returned. This
 allowed an external program to get access to the internal fields of
 these classes. The classes have been updated to return cloned arrays.
 New in release OpenJDK 8u382 (2023-07-18):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u382
 * CVEs
  - CVE-2023-22045
  - CVE-2023-22049
 * Security fixes
  - JDK-8298676: Enhanced Look and Feel
  - JDK-8300596: Enhance Jar Signature validation
  - JDK-8304468: Better array usages
  - JDK-8305312: Enhanced path handling
 * Other changes
  - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
  - JDK-8151460: Metaspace counters can have inconsistent values
  - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
  - JDK-8185736: missing default exception handler in calls to rethrow_Stub
  - JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
  - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
  - JDK-8241311: Move some charset mapping tests from closed to open
  - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
  - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
  - JDK-8276841: Add support for Visual Studio 2022
  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
  - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
  - JDK-8282345: handle latest VS2022 in abstract_vm_version
  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
  - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
  - JDK-8293232: Fix race condition in pkcs11 SessionManager
  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
  - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
  - JDK-8298108: Add a regression test for JDK-8297684
  - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
  - JDK-8301119: Support for GB18030-2022
  - JDK-8301400: Allow additional characters for GB18030-2022 support
  - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
  - JDK-8303028: Update system property for Java SE specification maintenance version
  - JDK-8303462: Bump update version of OpenJDK: 8u382
  - JDK-8304760: Add 2 Microsoft TLS roots
  - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
  - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
  - JDK-8305975: Add TWCA Global Root CA
  - JDK-8307134: Add GTS root CAs
  - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
  - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
  - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119
 Notes on individual issues:
 ===========================
 core-libs/java.lang:
 JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
 ===========================================================================
 In order to support "Implementation Level 2" of the GB18030-2022
 standard, the JDK must be able to use characters from the CJK Unified
 Ideographs Extension E block of Unicode 8.0.  The addition of these
 characters forms Maintenance Release 5 of the Java SE 8 specification,
 which is implemented in this release of OpenJDK via the addition of a
 new UnicodeBlock instance,
 Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.
 core-libs/java.util.jar:
 8300596: Enhance Jar Signature validation
 =========================================
 A System property "jdk.jar.maxSignatureFileSize" is introduced to
 configure the maximum number of bytes allowed for the
 signature-related files in a JAR file during verification. The default
 value is 8000000 bytes (8 MB).
 security-libs/java.security:
 JDK-8307134: Added 4 GTS Root CA Certificates
 =============================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar1
 Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar2
 Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar3
 Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar4
 Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
 JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
 =====================================================================
 The following root certificates has been added to the cacerts
 truststore:
 Name: Microsoft Corporation
 Alias Name: microsoftecc2017
 Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
 Name: Microsoft Corporation
 Alias Name: microsoftrsa2017
 Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
 JDK-8305975: Added TWCA Root CA Certificate
 ===========================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: TWCA
 Alias Name: twcaglobalrootca
 Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
 New in release OpenJDK 8u372 (2023-04-18):
 ===========================================
 Live versions of these release notes can be found at:
@ -1380,6 +497,19 @@ the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 core-libs/java.net:
 JDK-8286918: Better HttpServer service
 ======================================
 The HttpServer can be optionally configured with a maximum connection
 limit by setting the jdk.httpserver.maxConnections system property. A
 value of 0 or a negative integer is ignored and considered to
 represent no connection limit. In the case of a positive integer
 value, any newly accepted connections will be first checked against
 the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 security-libs/javax.net.ssl:
 JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@ -1577,7 +707,7 @@ device paths such as `NUL:` are *not* used.
 New in release OpenJDK 8u332 (2022-04-22):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bitly.com/openjdk8u332
+  * https://bit.ly/openjdk8u332
  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
 * Security fixes
--- a/SOURCES/java-1.8.0-openjdk-portable.specfile
+++ b/SOURCES/java-1.8.0-openjdk-portable.specfile
--- a/SOURCES/java-1.8.0-openjdk-remove-intree-libraries.sh
+++ b/SOURCES/java-1.8.0-openjdk-remove-intree-libraries.sh
@ -0,0 +1,131 @@
 #!/bin/sh
 ZIP_SRC=openjdk/jdk/src/share/native/java/util/zip/zlib
 JPEG_SRC=openjdk/jdk/src/share/native/sun/awt/image/jpeg
 GIF_SRC=openjdk/jdk/src/share/native/sun/awt/giflib
 PNG_SRC=openjdk/jdk/src/share/native/sun/awt/libpng
 LCMS_SRC=openjdk/jdk/src/share/native/sun/java2d/cmm/lcms
 echo "Removing built-in libs (they will be linked)"
 echo "Removing zlib"
 if [ ! -d ${ZIP_SRC} ]; then
 	echo "${ZIP_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${ZIP_SRC}
 echo "Removing libjpeg"
 if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
 	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
 	exit 1
 fi	
 rm -vf ${JPEG_SRC}/jcomapi.c
 rm -vf ${JPEG_SRC}/jdapimin.c
 rm -vf ${JPEG_SRC}/jdapistd.c
 rm -vf ${JPEG_SRC}/jdcoefct.c
 rm -vf ${JPEG_SRC}/jdcolor.c
 rm -vf ${JPEG_SRC}/jdct.h
 rm -vf ${JPEG_SRC}/jddctmgr.c
 rm -vf ${JPEG_SRC}/jdhuff.c
 rm -vf ${JPEG_SRC}/jdhuff.h
 rm -vf ${JPEG_SRC}/jdinput.c
 rm -vf ${JPEG_SRC}/jdmainct.c
 rm -vf ${JPEG_SRC}/jdmarker.c
 rm -vf ${JPEG_SRC}/jdmaster.c
 rm -vf ${JPEG_SRC}/jdmerge.c
 rm -vf ${JPEG_SRC}/jdphuff.c
 rm -vf ${JPEG_SRC}/jdpostct.c
 rm -vf ${JPEG_SRC}/jdsample.c
 rm -vf ${JPEG_SRC}/jerror.c
 rm -vf ${JPEG_SRC}/jerror.h
 rm -vf ${JPEG_SRC}/jidctflt.c
 rm -vf ${JPEG_SRC}/jidctfst.c
 rm -vf ${JPEG_SRC}/jidctint.c
 rm -vf ${JPEG_SRC}/jidctred.c
 rm -vf ${JPEG_SRC}/jinclude.h
 rm -vf ${JPEG_SRC}/jmemmgr.c
 rm -vf ${JPEG_SRC}/jmemsys.h
 rm -vf ${JPEG_SRC}/jmemnobs.c
 rm -vf ${JPEG_SRC}/jmorecfg.h
 rm -vf ${JPEG_SRC}/jpegint.h
 rm -vf ${JPEG_SRC}/jpeglib.h
 rm -vf ${JPEG_SRC}/jquant1.c
 rm -vf ${JPEG_SRC}/jquant2.c
 rm -vf ${JPEG_SRC}/jutils.c
 rm -vf ${JPEG_SRC}/jcapimin.c
 rm -vf ${JPEG_SRC}/jcapistd.c
 rm -vf ${JPEG_SRC}/jccoefct.c
 rm -vf ${JPEG_SRC}/jccolor.c
 rm -vf ${JPEG_SRC}/jcdctmgr.c
 rm -vf ${JPEG_SRC}/jchuff.c
 rm -vf ${JPEG_SRC}/jchuff.h
 rm -vf ${JPEG_SRC}/jcinit.c
 rm -vf ${JPEG_SRC}/jconfig.h
 rm -vf ${JPEG_SRC}/jcmainct.c
 rm -vf ${JPEG_SRC}/jcmarker.c
 rm -vf ${JPEG_SRC}/jcmaster.c
 rm -vf ${JPEG_SRC}/jcparam.c
 rm -vf ${JPEG_SRC}/jcphuff.c
 rm -vf ${JPEG_SRC}/jcprepct.c
 rm -vf ${JPEG_SRC}/jcsample.c
 rm -vf ${JPEG_SRC}/jctrans.c
 rm -vf ${JPEG_SRC}/jdtrans.c
 rm -vf ${JPEG_SRC}/jfdctflt.c
 rm -vf ${JPEG_SRC}/jfdctfst.c
 rm -vf ${JPEG_SRC}/jfdctint.c
 rm -vf ${JPEG_SRC}/jversion.h
 rm -vf ${JPEG_SRC}/README
 echo "Removing giflib"
 if [ ! -d ${GIF_SRC} ]; then
 	echo "${GIF_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${GIF_SRC}
 echo "Removing libpng"
 if [ ! -d ${PNG_SRC} ]; then
 	echo "${PNG_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${PNG_SRC}
 echo "Removing lcms"
 if [ ! -d ${LCMS_SRC} ]; then
 	echo "${LCMS_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi
 # temporary change to move bundled LCMS
 if [ ! true ]; then
 rm -vf ${LCMS_SRC}/cmsalpha.c
 rm -vf ${LCMS_SRC}/cmscam02.c
 rm -vf ${LCMS_SRC}/cmscgats.c
 rm -vf ${LCMS_SRC}/cmscnvrt.c
 rm -vf ${LCMS_SRC}/cmserr.c
 rm -vf ${LCMS_SRC}/cmsgamma.c
 rm -vf ${LCMS_SRC}/cmsgmt.c
 rm -vf ${LCMS_SRC}/cmshalf.c
 rm -vf ${LCMS_SRC}/cmsintrp.c
 rm -vf ${LCMS_SRC}/cmsio0.c
 rm -vf ${LCMS_SRC}/cmsio1.c
 rm -vf ${LCMS_SRC}/cmslut.c
 rm -vf ${LCMS_SRC}/cmsmd5.c
 rm -vf ${LCMS_SRC}/cmsmtrx.c
 rm -vf ${LCMS_SRC}/cmsnamed.c
 rm -vf ${LCMS_SRC}/cmsopt.c
 rm -vf ${LCMS_SRC}/cmspack.c
 rm -vf ${LCMS_SRC}/cmspcs.c
 rm -vf ${LCMS_SRC}/cmsplugin.c
 rm -vf ${LCMS_SRC}/cmsps2.c
 rm -vf ${LCMS_SRC}/cmssamp.c
 rm -vf ${LCMS_SRC}/cmssm.c
 rm -vf ${LCMS_SRC}/cmstypes.c
 rm -vf ${LCMS_SRC}/cmsvirt.c
 rm -vf ${LCMS_SRC}/cmswtpnt.c
 rm -vf ${LCMS_SRC}/cmsxform.c
 rm -vf ${LCMS_SRC}/lcms2.h
 rm -vf ${LCMS_SRC}/lcms2_internal.h
 rm -vf ${LCMS_SRC}/lcms2_plugin.h
 fi
--- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
+++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
@ -7,11 +7,10 @@
 PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
 Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
-diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4
+diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
-index 113bf367e2..bed030e8d1 100644
+--- openjdk.orig///common/autoconf/flags.m4
--- a/common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
-+++ b/common/autoconf/flags.m4
+@@ -402,6 +402,21 @@
@@ -451,6 +451,21 @@ AC_DEFUN_ONCE([FLAGS_SETUP_COMPILER_FLAGS_FOR_JDK],
     AC_SUBST($2CXXSTD_CXXFLAG)
   fi
@ -23,7 +22,7 @@ index 113bf367e2..bed030e8d1 100644
 +    # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
 +    # While waiting for a better solution, the current workaround is to use -mstackrealign
 +    # This is also required on Linux systems which use libraries compiled with SSE instructions
-+    REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+    REALIGN_CFLAG="-mstackrealign"
 +    FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
 +      AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
 +    )
@ -33,32 +32,23 @@ index 113bf367e2..bed030e8d1 100644
   if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
     AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
   fi
-diff --git a/common/autoconf/hotspot-spec.gmk.in b/common/autoconf/hotspot-spec.gmk.in
+diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
-index 3f86751d2b..f8a271383f 100644
+--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
--- a/common/autoconf/hotspot-spec.gmk.in
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
-+++ b/common/autoconf/hotspot-spec.gmk.in
+@@ -112,7 +112,8 @@
-@@ -114,13 +114,14 @@ RC:=@HOTSPOT_RC@
+ RC:=@HOTSPOT_RC@
- # Retain EXTRA_{CFLAGS,CXXFLAGS,LDFLAGS,ASFLAGS} for the target flags to
+ 
- # maintain compatibility with the existing Makefiles
+ EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- EXTRA_CFLAGS=@LEGACY_TARGET_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
+-				   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
-				    $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+				   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
-+                                   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+				   $(REALIGN_CFLAG)
-+                                   $(REALIGN_CFLAG)
+ EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
- EXTRA_CXXFLAGS=@LEGACY_TARGET_CXXFLAGS@
+ EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
- EXTRA_LDFLAGS=@LEGACY_TARGET_LDFLAGS@
+ EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
- EXTRA_ASFLAGS=@LEGACY_TARGET_ASFLAGS@
+diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
- # Define an equivalent set for the host flags (i.e. without sysroot options)
+--- openjdk.orig///common/autoconf/spec.gmk.in
- HOST_CFLAGS=@LEGACY_HOST_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
+++ openjdk///common/autoconf/spec.gmk.in
-				 $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+@@ -366,6 +366,7 @@
 +                                 $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
 HOST_CXXFLAGS=@LEGACY_HOST_CXXFLAGS@
 HOST_LDFLAGS=@LEGACY_HOST_LDFLAGS@
 HOST_ASFLAGS=@LEGACY_HOST_ASFLAGS@
 diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
 index 9573bb2cbd..fe7efc130c 100644
 --- a/common/autoconf/spec.gmk.in
 +++ b/common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@ CXXFLAGS_JDKEXE:=@CXXFLAGS_JDKEXE@
 NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
 NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@
--- a/SOURCES/jdk8218811-perfMemory_linux.patch
+++ b/SOURCES/jdk8218811-perfMemory_linux.patch
@ -0,0 +1,12 @@
 diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
 --- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
 +++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
@@ -878,7 +878,7 @@
   // open the file
   int result;
 -  RESTARTABLE(::open(filename, oflags), result);
 +  RESTARTABLE(::open(filename, oflags, 0), result);
   if (result == OS_ERR) {
     if (errno == ENOENT) {
       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
--- a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
+++ b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
@ -0,0 +1,167 @@
 commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
 Author: Alexey Bakhtin <abakhtin@openjdk.org>
 Date:   Tue Apr 4 10:29:11 2023 +0000
    8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
    Reviewed-by: andrew, mbalao
    Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
 diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
 index a79e97d7c74..5378446b97b 100644
 --- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
 +++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
     @Override
     protected void engineInitVerify(PublicKey publicKey)
             throws InvalidKeyException {
 -        if (!(publicKey instanceof RSAPublicKey)) {
 +        if (publicKey instanceof RSAPublicKey) {
 +            RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
 +            isPublicKeyValid(rsaPubKey);
 +            this.pubKey = rsaPubKey;
 +            this.privKey = null;
 +            resetDigest();
 +        } else {
             throw new InvalidKeyException("key must be RSAPublicKey");
         }
 -        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
 -        this.privKey = null;
 -        resetDigest();
     }
     // initialize for signing. See JCA doc
@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
     @Override
     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
             throws InvalidKeyException {
 -        if (!(privateKey instanceof RSAPrivateKey)) {
 +        if (privateKey instanceof RSAPrivateKey) {
 +            RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
 +            isPrivateKeyValid(rsaPrivateKey);
 +            this.privKey = rsaPrivateKey;
 +            this.pubKey = null;
 +            this.random =
 +                    (random == null ? JCAUtil.getSecureRandom() : random);
 +            resetDigest();
 +        } else {
             throw new InvalidKeyException("key must be RSAPrivateKey");
         }
 -        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
 -        this.pubKey = null;
 -        this.random =
 -            (random == null? JCAUtil.getSecureRandom() : random);
 -        resetDigest();
     }
     /**
@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
         }
     }
 +    /**
 +     * Validate the specified RSAPrivateKey
 +     */
 +    private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
 +        try {
 +            if (prKey instanceof RSAPrivateCrtKey) {
 +                RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
 +                if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
 +                    RSAKeyFactory.checkRSAProviderKeyLengths(
 +                            crtKey.getModulus().bitLength(),
 +                            crtKey.getPublicExponent());
 +                } else {
 +                    throw new InvalidKeyException(
 +                            "Some of the CRT-specific components are not available");
 +                }
 +            } else {
 +                RSAKeyFactory.checkRSAProviderKeyLengths(
 +                        prKey.getModulus().bitLength(),
 +                        null);
 +            }
 +        } catch (InvalidKeyException ikEx) {
 +            throw ikEx;
 +        } catch (Exception e) {
 +            throw new InvalidKeyException(
 +                    "Can not access private key components", e);
 +        }
 +        isValid(prKey);
 +    }
 +
 +    /**
 +     * Validate the specified RSAPublicKey
 +     */
 +    private void isPublicKeyValid(RSAPublicKey pKey)  throws InvalidKeyException {
 +        try {
 +            RSAKeyFactory.checkRSAProviderKeyLengths(
 +                    pKey.getModulus().bitLength(),
 +                    pKey.getPublicExponent());
 +        } catch (InvalidKeyException ikEx) {
 +            throw ikEx;
 +        } catch (Exception e) {
 +            throw new InvalidKeyException(
 +                    "Can not access public key components", e);
 +        }
 +        isValid(pKey);
 +    }
 +
     /**
      * Validate the specified RSAKey and its associated parameters against
      * internal signature parameters.
      */
 -    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
 +    private void isValid(RSAKey rsaKey) throws InvalidKeyException {
         try {
             AlgorithmParameterSpec keyParams = rsaKey.getParams();
             // validate key parameters
@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
                 }
                 checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
             }
 -            return rsaKey;
         } catch (SignatureException e) {
             throw new InvalidKeyException(e);
         }
 diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
 index 6b219937981..b3c1fae9672 100644
 --- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
 +++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
         // check all CRT-specific components are available, if any one
         // missing, return a non-CRT key instead
 -        if ((key.getPublicExponent().signum() == 0) ||
 -            (key.getPrimeExponentP().signum() == 0) ||
 -            (key.getPrimeExponentQ().signum() == 0) ||
 -            (key.getPrimeP().signum() == 0) ||
 -            (key.getPrimeQ().signum() == 0) ||
 -            (key.getCrtCoefficient().signum() == 0)) {
 +        if (checkComponents(key)) {
 +            return key;
 +        } else {
             return new RSAPrivateKeyImpl(
                 key.algid,
                 key.getModulus(),
 -                key.getPrivateExponent()
 -            );
 -        } else {
 -            return key;
 +                key.getPrivateExponent());
         }
     }
 +    /**
 +     * Validate if all CRT-specific components are available.
 +     */
 +    static boolean checkComponents(RSAPrivateCrtKey key) {
 +        return !((key.getPublicExponent().signum() == 0) ||
 +            (key.getPrimeExponentP().signum() == 0) ||
 +            (key.getPrimeExponentQ().signum() == 0) ||
 +            (key.getPrimeP().signum() == 0) ||
 +            (key.getPrimeQ().signum() == 0) ||
 +            (key.getCrtCoefficient().signum() == 0));
 +    }
 +
     /**
      * Generate a new key from the specified type and components.
      * Returns a CRT key if possible and a non-CRT key otherwise.
--- a/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
+++ b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
@ -0,0 +1,67 @@
 # HG changeset patch
 # User Andrew John Hughes <gnu_andrew@member.fsf.org>
 # Date 1620365804 -3600
 #      Fri May 07 06:36:44 2021 +0100
 # Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
 # Parent  723b59ed1afe878c5cd35f080399c8ceec4f776b
 PR3836: Extra compiler flags not passed to adlc build
 diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
 +++ openjdk/hotspot/make/aix/makefiles/adlc.make
@@ -69,6 +69,11 @@
 CFLAGS_WARN = -w
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
 +++ openjdk/hotspot/make/bsd/makefiles/adlc.make
@@ -71,6 +71,11 @@
 endif
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
 +++ openjdk/hotspot/make/linux/makefiles/adlc.make
@@ -69,6 +69,11 @@
 CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
 +++ openjdk/hotspot/make/solaris/makefiles/adlc.make
@@ -85,6 +85,10 @@
 endif
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 ifeq ("${Platform_compiler}", "sparcWorks")
 # Enable the following CFLAGS addition if you need to compare the
 # built ELF objects.
--- a/SOURCES/jdk8328999-update_giflib_5.2.2.patch
+++ b/SOURCES/jdk8328999-update_giflib_5.2.2.patch
--- a/SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch
+++ b/SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch
@ -7,11 +7,10 @@
 8074839: Resolve disabled warnings for libunpack and the unpack200 binary
 Reviewed-by: dholmes, ksrini
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-index bdaf95a2f6a..60c5b4f2a69 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+@@ -63,7 +63,7 @@
@@ -63,7 +63,7 @@ struct bytes {
     bytes res;
     res.ptr = ptr + beg;
     res.len = end - beg;
@ -20,11 +19,10 @@ index bdaf95a2f6a..60c5b4f2a69 100644
     return res;
   }
   // building C strings inside byte buffers:
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-index 5fbc7261fb3..4c002e779d8 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+@@ -292,7 +292,7 @@
@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
   if (uPtr->aborting()) {
     THROW_IOE(uPtr->get_abort_message());
@ -33,16 +31,16 @@ index 5fbc7261fb3..4c002e779d8 100644
   }
   // We have fetched all the files.
-@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
+@@ -310,7 +310,7 @@
-   // There's no need to create a new unpacker here if we don't already have one
+ JNIEXPORT jlong JNICALL
-   // just to immediatly free it afterwards.
+ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
-   unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
+   unpacker* uPtr = get_unpacker(env, pObj, false);
 -  CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
 +  CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
   size_t consumed = uPtr->input_consumed();
   // free_unpacker() will set the unpacker field on 'pObj' to null
   free_unpacker(env, pObj, uPtr);
-@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
+   return consumed;
@@ -320,6 +320,7 @@
 Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
                                        jstring pProp, jstring pValue) {
   unpacker*   uPtr  = get_unpacker(env, pObj);
@ -50,11 +48,10 @@ index 5fbc7261fb3..4c002e779d8 100644
   const char* prop  = env->GetStringUTFChars(pProp, JNI_FALSE);
   CHECK_EXCEPTION_RETURN_VALUE(prop, false);
   const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-index 6fbc43a18ae..722c8baaff0 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+@@ -142,31 +142,28 @@
@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
   return progname;
 }
@ -104,11 +101,10 @@ index 6fbc43a18ae..722c8baaff0 100644
   }
 }
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-index a585535c513..8df3fade499 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -222,9 +222,9 @@
@@ -225,9 +225,9 @@ struct entry {
   }
 #ifdef PRODUCT
@ -120,7 +116,7 @@ index a585535c513..8df3fade499 100644
 #endif
 };
-@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
+@@ -715,13 +715,13 @@
   // Now we can size the whole archive.
   // Read everything else into a mega-buffer.
   rp = hdr.rp;
@ -138,7 +134,7 @@ index a585535c513..8df3fade499 100644
       abort("EOF reading fixed input buffer");
       return;
     }
-@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
+@@ -735,7 +735,7 @@
       return;
     }
     input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@ -147,7 +143,7 @@ index a585535c513..8df3fade499 100644
     CHECK;
     assert(input.limit()[0] == 0);
     // Move all the bytes we read initially into the real buffer.
-@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
+@@ -958,13 +958,13 @@
   nentries = next_entry;
   // place a limit on future CP growth:
@ -163,7 +159,18 @@ index a585535c513..8df3fade499 100644
   // Note that this CP does not include "empty" entries
   // for longs and doubles.  Those are introduced when
-@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
+@@ -982,8 +982,9 @@
   }
   // Initialize *all* our entries once
 -  for (int i = 0 ; i < maxentries ; i++)
 +  for (uint i = 0 ; i < maxentries ; i++) {
     entries[i].outputIndex = REQUESTED_NONE;
 +  }
   initGroupIndexes();
   // Initialize hashTab to a generous power-of-two size.
@@ -3677,21 +3678,22 @@
 unpacker* debug_u;
@ -190,7 +197,7 @@ index a585535c513..8df3fade499 100644
   case CONSTANT_Signature:
     if (value.b.ptr == null)
       return ref(0)->string();
-@@ -3728,26 +3729,28 @@ char* entry::string() {
+@@ -3711,26 +3713,28 @@
     break;
   default:
     if (nrefs == 0) {
@ -228,11 +235,10 @@ index a585535c513..8df3fade499 100644
 }
 void print_cp_entries(int beg, int end) {
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-index 4ec595333c4..aad0c971ef2 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+@@ -209,7 +209,7 @@
@@ -209,7 +209,7 @@ struct unpacker {
   byte*     rp;          // read pointer (< rplimit <= input.limit())
   byte*     rplimit;     // how much of the input block has been read?
   julong    bytes_read;
@ -241,11 +247,10 @@ index 4ec595333c4..aad0c971ef2 100644
   // callback to read at least one byte, up to available input
   typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-index da39a589545..1281d8b25c8 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+@@ -81,7 +81,7 @@
@@ -81,7 +81,7 @@ void breakpoint() { }  // hook for debugger
 int assert_failed(const char* p) {
   char message[1<<12];
   sprintf(message, "@assert failed: %s\n", p);
@ -254,11 +259,10 @@ index da39a589545..1281d8b25c8 100644
   breakpoint();
   unpack_abort(message);
   return 0;
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-index f58c94956c0..343da3e183b 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+@@ -84,7 +84,7 @@
@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
 }
 // Write data to the ZIP output stream.
@ -267,7 +271,7 @@ index f58c94956c0..343da3e183b 100644
   while (len > 0) {
     int rc = (int)fwrite(buff, 1, len, jarfp);
     if (rc <= 0) {
-@@ -323,12 +323,12 @@ void jar::write_central_directory() {
+@@ -323,12 +323,12 @@
     // Total number of disks (int)
     header64[36] = (ushort)SWAP_BYTES(1);
     header64[37] = 0;
@ -282,11 +286,10 @@ index f58c94956c0..343da3e183b 100644
   PRINTCR((2, "writing zip comment\n"));
   // Write the comment.
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-index 14ffc9d65bd..9877f6f68ca 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+@@ -68,8 +68,8 @@
@@ -68,8 +68,8 @@ struct jar {
   }
   // Private Methods
--- a/SOURCES/repack_reproducible_policies.sh
+++ b/SOURCES/repack_reproducible_policies.sh
--- a/SOURCES/s390-8214206_fix.patch
+++ b/SOURCES/s390-8214206_fix.patch
@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
   Atomic::add(val, &_sum);
 -  int mag = log2_intptr(val) + 1;
-+  int mag = log2_long(val) + 1;
+  int mag = log2_intptr((uintptr_t)val) + 1;
   // Defensively saturate for product bits:
   if (mag < 0) {
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
`@ -1,2 +1,2 @@`
	`SOURCES/shenandoah8u432-b06.tar.xz`	`SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz`
	`SOURCES/tapsets-icedtea-3.15.0.tar.xz`	`SOURCES/tapsets-icedtea-3.15.0.tar.xz`
`@ -1,2 +1,2 @@`
	`af2d3b85c48ecc8c22188ac687e6160658ef6aca SOURCES/shenandoah8u432-b06.tar.xz`	`3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz`
	`7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz`	`7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz`