.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
+SOURCES/shenandoah8u422-b05.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz

.java-1.8.0-openjdk.metadata

@@ -1,2 +1,2 @@
-71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
+e2828a59a56b737f58f33dc21f654e92bdfc085e SOURCES/shenandoah8u422-b05.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

SOURCES/NEWS

@@ -3,6 +3,812 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u422 (2024-07-16):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u422
+
+* CVEs
+  - CVE-2024-21131
+  - CVE-2024-21138
+  - CVE-2024-21140
+  - CVE-2024-21144
+  - CVE-2024-21145
+  - CVE-2024-21147
+* Security fixes
+  - JDK-8314794: Improve UTF8 String supports
+  - JDK-8319859: Better symbol storage
+  - JDK-8320097: Improve Image transformations
+  - JDK-8320548: Improved loop handling
+  - JDK-8322106: Enhance Pack 200 loading
+  - JDK-8323231: Improve array management
+  - JDK-8323390: Enhance mask blit functionality
+  - JDK-8324559: Improve 2D image handling
+  - JDK-8325600: Better symbol storage
+* Other changes
+  - JDK-8025439: [TEST BUG] [macosx] PrintServiceLookup.lookupPrintServices doesn't work properly since jdk8b105
+  - JDK-8069389: CompilerOracle prefix wildcarding is broken for long strings
+  - JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/bug7123767.java: number of checked graphics configurations should be limited
+  - JDK-8159690: [TESTBUG] Mark headful tests with @key headful.
+  - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
+  - JDK-8203691: [TESTBUG] Test /runtime/containers/cgroup/PlainRead.java fails
+  - JDK-8205407: [windows, vs<2017] C4800 after 8203197
+  - JDK-8235834: IBM-943 charset encoder needs updating
+  - JDK-8239965: XMLEncoder/Test4625418.java fails due to "Error: Cp943 - can't read properly"
+  - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+  - JDK-8256152: tests fail because of ambiguous method resolution
+  - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
+  - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
+  - JDK-8268916: Tests for AffirmTrust roots
+  - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
+  - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
+  - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
+  - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
+  - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
+  - JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL
+  - JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM
+  - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074
+  - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate.
+  - JDK-8316138: Add GlobalSign 2 TLS root certificates
+  - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows
+  - JDK-8320005: Allow loading of shared objects with .a extension on AIX
+  - JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
+  - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing
+  - JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
+  - JDK-8326686: Bump update version of OpenJDK: 8u422
+  - JDK-8327440: Fix "bad source file" error during beaninfo generation
+  - JDK-8328809: [8u] Problem list some CA tests
+  - JDK-8328825: Google CAInterop test failures
+  - JDK-8329544: [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
+  - JDK-8331791: [8u] AIX build break from JDK-8320005 backport
+  - JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
+  - JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3 ::Identity signature fixes
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
+===========================================================================
+Two system properties have been added which control the keep alive
+behavior of HttpURLConnection in the case where the server does not
+specify a keep alive time. These are:
+
+* `http.keepAlive.time.server`
+* `http.keepAlive.time.proxy`
+
+which control the number of seconds before an idle connection to a
+server or proxy will be closed, respectively. If the server or proxy
+specifies a keep alive time in a "Keep-Alive" response header, this
+will take precedence over the values of these properties.
+
+security-libs/java.security:
+
+JDK-8316138: Add GlobalSign 2 TLS root certificates
+===================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: GlobalSign
+Alias Name: globalsignr46
+Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
+
+Name: GlobalSign
+Alias Name: globalsigne46
+Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
+
+New in release OpenJDK 8u412 (2024-04-16):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u412
+
+* CVEs
+  - CVE-2024-21011
+  - CVE-2024-21085
+  - CVE-2024-21068
+  - CVE-2024-21094
+* Security fixes
+  - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
+  - JDK-8318340: Improve RSA key implementations
+  - JDK-8319851: Improve exception logging
+  - JDK-8322114: Improve Pack 200 handling
+  - JDK-8322122: Enhance generation of addresses
+* Other changes
+  - JDK-8011180: Delete obsolete scripts
+  - JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
+  - JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
+  - JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
+  - JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
+  - JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
+  - JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
+  - JDK-8168518: rcache interop with krb5-1.15
+  - JDK-8183503: Update hotspot tests to allow for unique test classes directory
+  - JDK-8186095: upgrade to jtreg 4.2 b08
+  - JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
+  - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
+  - JDK-8208655: use JTreg skipped status in hotspot tests
+  - JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
+  - JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
+  - JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
+  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
+  - JDK-8224768: Test ActalisCA.java fails
+  - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
+  - JDK-8251551: Use .md filename extension for README
+  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
+  - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error
+  - JDK-8270517: Add Zero support for LoongArch
+  - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
+  - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
+  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests
+  - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
+  - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
+  - JDK-8308592: Framework for CA interoperability testing
+  - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
+  - JDK-8315042: NPE in PKCS7.parseOldSignedData
+  - JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
+  - JDK-8320713: Bump update version of OpenJDK: 8u412
+  - JDK-8321060: [8u] hotspot needs to recognise VS2022
+  - JDK-8321408: Add Certainly roots R1 and E1
+  - JDK-8322725: (tz) Update Timezone Data to 2023d
+  - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
+  - JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
+  - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
+  - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
+  - JDK-8324530: Build error with gcc 10
+  - JDK-8325150: (tz) Update Timezone Data to 2024a
+
+Notes on individual issues:
+===========================
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8168518: rcache interop with krb5-1.15
+==========================================
+The hash algorithm used in the Kerberos 5 replay cache file (rcache)
+has been changed from MD5 to SHA256. This is the same algorithm used
+by MIT krb5-1.15 and is interoperable with earlier releases of MIT
+krb5.
+
+The MD5 algorithm can still be used by setting the new
+jdk.krb5.rcache.useMD5 property to 'true':
+
+java -Djdk.krb5.rcache.useMD5=true ...
+
+This is useful where either the system has a coarse clock and has to
+depend on hash values in replay attack detection, or interoperability
+with the rcache files in older versions of OpenJDK is required.
+
+client-libs/java.awt:
+
+JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
+=======================================================================
+The java.awt.SystemTray API is used to interact with the system's
+desktop taskbar to provide notifications and may include an icon
+representing an application. The GNOME desktop's support for taskbar
+icons has not worked properly for several years, due to a platform
+bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
+desktops.
+
+Therefore, in accordance with the SystemTray API specification,
+java.awt.SystemTray.isSupported() will now return false on systems
+that exhibit this bug, which is assumed to be those running a version
+of GNOME Shell below 45.
+
+The impact of this change is likely to be minimal, as users of the
+SystemTray API should already be able to handle isSupported()
+returning false and the system tray on such platforms has already been
+unsupported for a number of years for all applications.
+
+security-libs/java.security:
+
+JDK-8321408: Added Certainly R1 and E1 Root Certificates
+========================================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Certainly
+Alias Name: certainlyrootr1
+Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US
+
+Name: Certainly
+Alias Name: certainlyroote1
+Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US
+
+New in release OpenJDK 8u402 (2024-01-16):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u402
+
+* CVEs
+  - CVE-2024-20918
+  - CVE-2024-20919
+  - CVE-2024-20921
+  - CVE-2024-20926
+  - CVE-2024-20945
+  - CVE-2024-20952
+* Security fixes
+  - JDK-8308204: Enhanced certificate processing
+  - JDK-8314284: Enhance Nashorn performance
+  - JDK-8314295: Enhance verification of verifier
+  - JDK-8314307: Improve loop handling
+  - JDK-8314468: Improve Compiler loops
+  - JDK-8316976: Improve signature handling
+  - JDK-8317547: Enhance TLS connection support
+* Other changes
+  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+  - JDK-8029995: accept yes/no for boolean krb5.conf settings
+  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
+  - JDK-8176509: Use pandoc for converting build readme to html
+  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
+  - JDK-8207404: MulticastSocket tests failing on AIX
+  - JDK-8212677: X11 default visual support for IM status window on VNC
+  - JDK-8239365: ProcessBuilder test modifications for AIX execution
+  - JDK-8271838: AmazonCA.java interop test fails
+  - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
+  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
+  - JDK-8307837: [8u] Check step in GHA should also print errors
+  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
+  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
+  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
+  - JDK-8315280: Bump update version of OpenJDK: 8u402
+  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
+  - JDK-8317291: Missing null check for nmethod::is_native_method()
+  - JDK-8317373: Add Telia Root CA v2
+  - JDK-8317374: Add Let's Encrypt ISRG Root X2
+  - JDK-8318759: Add four DigiCert root certificates
+  - JDK-8319187: Add three eMudhra emSign roots
+  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
+  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
+
+Notes on individual issues:
+===========================
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8029995: accept yes/no for boolean krb5.conf settings
+=========================================================
+The krb5.conf configuration file now also accepts "yes" and "no", as
+alternatives to the existing "true" and "false" support, when using
+settings that take boolean values.
+
+security-libs/java.security:
+
+JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+===============================================================================================================================
+A maximum signature file size property, jdk.jar.maxSignatureFileSize,
+was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
+default of 8MB. This default proved to be too small for some JAR
+files. This release, 8u402, increases it to 16MB.
+
+JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
+=================================================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Let's Encrypt
+Alias Name: letsencryptisrgx2
+Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
+
+JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
+=============================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: DigiCert, Inc.
+Alias Name: digicertcseccrootg5
+Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicertcsrsarootg5
+Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlseccrootg5
+Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlsrsarootg5
+Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
+============================================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag1
+Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsigneccrootcag3
+Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag2
+Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+JDK-8317373: Added Telia Root CA v2 Certificate
+===============================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Telia Root CA v2
+Alias Name: teliarootcav2
+Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
+
+New in release OpenJDK 8u392 (2023-10-17):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u392
+
+* CVEs
+  - CVE-2023-22067
+  - CVE-2023-22081
+* Security fixes
+  - JDK-8286503, JDK-8312367: Enhance security classes
+  - JDK-8297856: Improve handling of Bidi characters
+  - JDK-8303384: Improved communication in CORBA
+  - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
+  - JDK-8309966: Enhanced TLS connections
+* Other changes
+  - JDK-6722928: Provide a default native GSS-API library on Windows
+  - JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
+  - JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
+  - JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+  - JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
+  - JDK-8200468: Port the native GSS-API bridge to Windows
+  - JDK-8202952: C2: Unexpected dead nodes after matching
+  - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
+  - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
+  - JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
+  - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
+  - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
+  - JDK-8232225: Rework the fix for JDK-8071483
+  - JDK-8242330: Arrays should be cloned in several JAAS Callback classes
+  - JDK-8253269: The CheckCommonColors test should provide more info on failure
+  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
+  - JDK-8284910: Buffer clean in PasswordCallback
+  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+  - JDK-8287663: Add a regression test for JDK-8287073
+  - JDK-8295685: Update Libpng to 1.6.38
+  - JDK-8295894: Remove SECOM certificate that is expiring in September 2023
+  - JDK-8308788: [8u] Remove duplicate HaricaCA.java test
+  - JDK-8309122: Bump update version of OpenJDK: 8u392
+  - JDK-8309143: [8u] fix archiving inconsistencies in GHA
+  - JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
+  - JDK-8314960: Add Certigna Root CA - 2
+  - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
+  - JDK-8317040: Exclude cleaner test failing on older releases
+
+Notes on individual issues:
+===========================
+
+other-libs/corba:idl:
+
+JDK-8303384: Improved communication in CORBA
+============================================
+The JDK's CORBA implementation now provides the option to limit
+serialisation in stub objects to those with the "IOR:" prefix.  For
+ORB constrained stub classes:
+
+* _DynArrayStub
+* _DynEnumStub
+* _DynFixedStub
+* _DynSequenceStub
+* _DynStructStub
+* _DynUnionStub
+* _DynValueStub
+* _DynAnyStub
+* _DynAnyFactoryStub
+
+this is enabled by default and may be disabled by setting the system
+property org.omg.DynamicAny.disableIORCheck to 'true'.
+
+For remote service stub classes:
+
+* _NamingContextStub
+* _BindingIteratorStub
+* _NamingContextExtStub
+* _ServantActivatorStub
+* _ServantLocatorStub
+* _ServerManagerStub
+* _ActivatorStub
+* _RepositoryStub
+* _InitialNameServiceStub
+* _LocatorStub
+* _ServerStub
+
+it is disabled by default and may be enabled by setting the system
+property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
+
+security-libs/org.ietf.jgss:
+
+JDK-6722928: Added a Default Native GSS-API Library on Windows
+==============================================================
+
+A native GSS-API library named `sspi_bridge.dll` has been added to the
+JDK on the Windows platform.  As with native GSS-API library provision
+on other operating systems, it will only be loaded when the
+`sun.security.jgss.native` system property is set to "true". A user
+can still load a third-party native GSS-API library instead by setting
+the `sun.security.jgss.lib` system property to the appropriate path.
+
+The library is client-side only and uses the default credentials.
+Native GSS support automatically uses cached credentials from the
+underlying operating system, so the
+`javax.security.auth.useSubjectCredsOnly` system property should be
+set to false.
+
+The `com.sun.security.auth.module.Krb5LoginModule` does not call
+native JGSS and so its use in your JAAS config should be avoided.
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+===============================================
+The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
+are now deprecated and disabled by default.  To re-enable them, you
+can either enable all weak crypto (which also includes `des-cbc-crc`
+and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
+`krb5.conf` configuration file or explicitly list all the preferred
+encryption types using the `default_tkt_enctypes`,
+`default_tgs_enctypes`, or `permitted_enctypes` settings.
+
+security-libs/java.security:
+
+JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
+==================================================================
+The following root certificate from SECOM Trust System has been
+removed from the `cacerts` keystore:
+
+Alias Name: secomscrootca1 [jdk]
+Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
+
+JDK-8314960: Added Certigna Root CA Certificate
+===============================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
+
+security-libs/javax.security:
+
+JDK-8242330: Arrays should be cloned in several JAAS Callback classes
+=====================================================================
+In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
+were not cloned when passed into a constructor or returned. This
+allowed an external program to get access to the internal fields of
+these classes. The classes have been updated to return cloned arrays.
+
+New in release OpenJDK 8u382 (2023-07-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u382
+
+* CVEs
+  - CVE-2023-22045
+  - CVE-2023-22049
+* Security fixes
+  - JDK-8298676: Enhanced Look and Feel
+  - JDK-8300596: Enhance Jar Signature validation
+  - JDK-8304468: Better array usages
+  - JDK-8305312: Enhanced path handling
+* Other changes
+  - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
+  - JDK-8151460: Metaspace counters can have inconsistent values
+  - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
+  - JDK-8185736: missing default exception handler in calls to rethrow_Stub
+  - JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
+  - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
+  - JDK-8241311: Move some charset mapping tests from closed to open
+  - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
+  - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
+  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+  - JDK-8276841: Add support for Visual Studio 2022
+  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
+  - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
+  - JDK-8282345: handle latest VS2022 in abstract_vm_version
+  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
+  - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
+  - JDK-8293232: Fix race condition in pkcs11 SessionManager
+  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
+  - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
+  - JDK-8298108: Add a regression test for JDK-8297684
+  - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
+  - JDK-8301119: Support for GB18030-2022
+  - JDK-8301400: Allow additional characters for GB18030-2022 support
+  - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
+  - JDK-8303028: Update system property for Java SE specification maintenance version
+  - JDK-8303462: Bump update version of OpenJDK: 8u382
+  - JDK-8304760: Add 2 Microsoft TLS roots
+  - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
+  - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
+  - JDK-8305975: Add TWCA Global Root CA
+  - JDK-8307134: Add GTS root CAs
+  - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
+  - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
+  - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
+===========================================================================
+In order to support "Implementation Level 2" of the GB18030-2022
+standard, the JDK must be able to use characters from the CJK Unified
+Ideographs Extension E block of Unicode 8.0.  The addition of these
+characters forms Maintenance Release 5 of the Java SE 8 specification,
+which is implemented in this release of OpenJDK via the addition of a
+new UnicodeBlock instance,
+Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.
+
+core-libs/java.util.jar:
+
+8300596: Enhance Jar Signature validation
+=========================================
+A System property "jdk.jar.maxSignatureFileSize" is introduced to
+configure the maximum number of bytes allowed for the
+signature-related files in a JAR file during verification. The default
+value is 8000000 bytes (8 MB).
+
+security-libs/java.security:
+
+JDK-8307134: Added 4 GTS Root CA Certificates
+=============================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: Google Trust Services LLC
+Alias Name: gtsrootcar1
+Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
+
+Name: Google Trust Services LLC
+Alias Name: gtsrootcar2
+Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
+
+Name: Google Trust Services LLC
+Alias Name: gtsrootcar3
+Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
+
+Name: Google Trust Services LLC
+Alias Name: gtsrootcar4
+Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
+
+JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
+=====================================================================
+The following root certificates has been added to the cacerts
+truststore:
+
+Name: Microsoft Corporation
+Alias Name: microsoftecc2017
+Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
+
+Name: Microsoft Corporation
+Alias Name: microsoftrsa2017
+Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
+
+JDK-8305975: Added TWCA Root CA Certificate
+===========================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: TWCA
+Alias Name: twcaglobalrootca
+Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
+
+New in release OpenJDK 8u372 (2023-04-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u372
+
+* CVEs
+  - CVE-2023-21930
+  - CVE-2023-21937
+  - CVE-2023-21938
+  - CVE-2023-21939
+  - CVE-2023-21954
+  - CVE-2023-21967
+  - CVE-2023-21968
+* Security fixes
+  - JDK-8287404: Improve ping times
+  - JDK-8288436: Improve Xalan supports
+  - JDK-8294474: Better AES support
+  - JDK-8295304: Runtime support improvements
+  - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation
+  - JDK-8296676, JDK-8296622: Improve String platform support
+  - JDK-8296684: Improve String platform support
+  - JDK-8296692: Improve String platform support
+  - JDK-8296700: Improve String platform support
+  - JDK-8296832: Improve Swing platform support
+  - JDK-8297371: Improve UTF8 representation redux
+  - JDK-8298191: Enhance object reclamation process
+  - JDK-8298310: Enhance TLS session negotiation
+  - JDK-8298667: Improved path handling
+  - JDK-8299129: Enhance NameService lookups
+* New features
+  - JDK-8230305: Cgroups v2: Container awareness
+* Other changes
+  - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html
+  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
+  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+  - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be
+  - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation
+  - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java
+  - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows
+  - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
+  - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB
+  - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error
+  - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
+  - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu
+  - JDK-8156579: Two JavaBeans tests failed
+  - JDK-8156581: Cleanup of ProblemList.txt
+  - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
+  - JDK-8177560: @headful key can be removed from the tests for JavaSound
+  - JDK-8196196: Headful tests should not be run in headless mode
+  - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails
+  - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp
+  - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow
+  - JDK-8205959: Do not restart close if errno is EINTR
+  - JDK-8216366: Add rationale to PER_CPU_SHARES define
+  - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails
+  - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes)
+  - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12
+  - JDK-8229202: Docker reporting causes secondary crashes in error handling
+  - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+  - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation
+  - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
+  - JDK-8234484: Add ability to configure third port for remote JMX
+  - JDK-8237479: 8230305 causes slowdebug build failure
+  - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+  - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+  - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
+  - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
+  - JDK-8242468: VS2019 build missing vcruntime140_1.dll
+  - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
+  - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+  - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+  - JDK-8245654: Add Certigna Root CA
+  - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows
+  - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
+  - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+  - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+  - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+  - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+  - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+  - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
+  - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+  - JDK-8257620: Do not use objc_msgSend_stret to get macOS version
+  - JDK-8262379: Add regression test for JDK-8257746
+  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
+  - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+  - JDK-8270317: Large Allocation in CipherSuite
+  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
+  - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
+  - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+  - JDK-8280048: Missing comma in copyright header
+  - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
+  - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
+  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
+  - JDK-8283277: ISO 4217 Amendment 171 Update
+  - JDK-8283606: Tests may fail with zh locale on MacOS
+  - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
+  - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
+  - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
+  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+  - JDK-8287109: Distrust.java failed with CertificateExpiredException
+  - JDK-8287463: JFR: Disable TestDevNull.java on Windows
+  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+  - JDK-8289549: ISO 4217 Amendment 172 Update
+  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
+  - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u
+  - JDK-8292083: Detected container memory limit may exceed physical machine memory
+  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
+  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
+  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
+  - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings
+  - JDK-8294307: ISO 4217 Amendment 173 Update
+  - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features
+  - JDK-8295322: Tests for JDK-8271459 were not backported to 11u
+  - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
+  - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process
+  - JDK-8296239: ISO 4217 Amendment 174 Update
+  - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
+  - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
+  - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
+  - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
+  - JDK-8297329: [8u] hotspot needs to recognise VS2019
+  - JDK-8297739: Bump update version of OpenJDK: 8u372
+  - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's
+  - JDK-8298027: Remove SCCS id's from awt jtreg tests
+  - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u
+  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+  - JDK-8299445: EndingDotHostname.java fails because of compilation errors
+  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+  - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u
+  - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u
+  - JDK-8300014: Some backports placed the tests in the wrong location
+  - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems
+  - JDK-8301122: [8u] Fix unreliable vs2010 download link
+  - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper
+  - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig
+  - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport
+  - JDK-8301550: [8u] Enable additional linux build testing in GitHub
+  - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors
+  - JDK-8301760: Fix possible leak in SpNegoContext dispose
+  - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391
+  - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391
+  - JDK-8304053: Revert os specific stubs for SystemMetrics
+  - JDK-8305113: (tz) Update Timezone Data to 2023c
+
+Notes on individual issues:
+===========================
+
+hotspot:
+core-libs:
+
+JDK-8305562: Cgroups v2: Container awareness
+============================================
+The HotSpot runtime code as well as the core libraries code in the JDK
+has been updated in order to detect a cgroup v2 host system when
+running OpenJDK within a Linux container.
+
+Since the 8u202 release of OpenJDK, the container detection code
+recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later
+releases, both versions of the underlying cgroups pseudo filesystem
+will be detected and corresponding container limits applied to the
+OpenJDK runtime.
+
+Without this enhancement, OpenJDK would not apply container resource
+limits when running on a cgroup v2 Linux host system, but would use
+the underlying hosts' resource limits instead.
+
+client-libs/javax.swing:
+
+JDK-8296832: Improve Swing platform support
+===========================================
+Earlier OpenJDK releases would always render HTML object tags embedded in
+Swing HTML components. With this release, rendering only occurs when the
+new system property "swing.html.object" is set to true. By default, it
+is set to false.
+
+core-svc/javax.management:
+
+JDK-8234484: Added Ability to Configure Third Port for Remote JMX
+=================================================================
+A local access port can now be configured for JMX connections by
+setting the property `com.sun.management.jmxremote.local.port`. This
+local port was previously selected at random, which could lead to port
+collisions. The property works in the same way as the existing
+properties for configuring the remote access port
+(`com.sun.management.jmxremote.port`) and the RMI port
+(`com.sun.management.jmxremote.rmi.port`)
+
+security-libs/java.security:
+
+JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate
+==========================================================
+The following root certificate has been added to the cacerts truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR
+
 New in release OpenJDK 8u362 (2023-01-17):
 ===========================================
 Live versions of these release notes can be found at:
@@ -84,6 +890,8 @@ Live versions of these release notes can be found at:
   - JDK-8297804: (tz) Update Timezone Data to 2022g
   - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
   - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+  - JDK-8300178: JDK-8286496 causes build failure on older GCC
+  - JDK-8300225: JDK-8288516 causes build failure on Windows + VS2010
 
 Notes on individual issues:
 ===========================
@@ -291,19 +1099,6 @@ the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 
-core-libs/java.net:
-
-JDK-8286918: Better HttpServer service
-======================================
-The HttpServer can be optionally configured with a maximum connection
-limit by setting the jdk.httpserver.maxConnections system property. A
-value of 0 or a negative integer is ignored and considered to
-represent no connection limit. In the case of a positive integer
-value, any newly accepted connections will be first checked against
-the current count of established connections and, if the configured
-limit has been reached, then the newly accepted connection will be
-closed immediately.
-
 security-libs/javax.net.ssl:
 
 JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@@ -501,7 +1296,7 @@ device paths such as `NUL:` are *not* used.
 New in release OpenJDK 8u332 (2022-04-22):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bit.ly/openjdk8u332
+  * https://bitly.com/openjdk8u332
   * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
 
 * Security fixes

SOURCES/README.md

@@ -1,8 +1,34 @@
-Package of LTS OpenJDK 8
-OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages. 
+OpenJDK 8 is a Long-Term Support (LTS) release of the Java platform.
 
-JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. 
+For a list of major changes in OpenJDK 8 (java-1.8.0-openjdk), see the
+upstream release page: https://openjdk.org/projects/jdk8/features
 
-See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
-See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+# Rebuilding the OpenJDK package
 
+The OpenJDK packages are now created from a single build which is then
+packaged for different major versions of Red Hat Enterprise Linux
+(RHEL). This allows the OpenJDK team to focus their efforts on the
+development and testing of this single build, rather than having
+multiple builds which only differ by the platform they were built on.
+
+This does make rebuilding the package slightly more complicated than a
+normal package. Modifications should be made to the
+`java-1.8.0-openjdk-portable.specfile` file, which can be found with
+this README file in the source RPM or installed in the documentation
+tree by the `java-1.8.0-openjdk-headless` RPM.
+
+Once the modified `java-1.8.0-openjdk-portable` RPMs are built, they
+should be installed and will produce a number of tarballs in the
+`/usr/lib/jvm` directory. The `java-1.8.0-openjdk` RPMs can then be
+built, which will use these tarballs to create the usual RPMs found in
+RHEL. The `java-1.8.0-openjdk-portable` RPMs can be uninstalled once
+the desired final RPMs are produced.
+
+Note that the `java-1.8.0-openjdk.spec` file has a hard requirement on
+the exact version of java-1.8.0-openjdk-portable to use, so this will
+need to be modified if the version or rpmrelease values are changed in
+`java-1.8.0-openjdk-portable.specfile`.
+
+To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
+builds may be disabled using `--without fastdebug` and `--without
+slowdebug`.

SOURCES/jdk8186464-rh1433262-zip64_failure.patch

@@ -0,0 +1,286 @@
+# HG changeset patch
+# User sherman
+# Date 1505950914 25200
+#      Wed Sep 20 16:41:54 2017 -0700
+# Node ID 723486922bfe4c17e3f5c067ce5e97229842fbcd
+# Parent  c8ac05bbe47771b3dafa2e7fc9a95d86d68d7c07
+8186464: ZipFile cannot read some InfoZip ZIP64 zip files
+Reviewed-by: martin
+
+diff --git openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
+index 26e2a5bf9e9..2630c118817 100644
+--- openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
++++ openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
+@@ -92,6 +92,7 @@ public class ZipFileSystem extends FileSystem {
+     private final boolean createNew;     // create a new zip if not exists
+     private static final boolean isWindows =
+         System.getProperty("os.name").startsWith("Windows");
++    private final boolean forceEnd64;
+ 
+     // a threshold, in bytes, to decide whether to create a temp file
+     // for outputstream of a zip entry
+@@ -112,12 +113,13 @@ public class ZipFileSystem extends FileSystem {
+         if (this.defaultDir.charAt(0) != '/')
+             throw new IllegalArgumentException("default dir should be absolute");
+ 
++        this.forceEnd64 = "true".equals(env.get("forceZIP64End"));
+         this.provider = provider;
+         this.zfpath = zfpath;
+         if (Files.notExists(zfpath)) {
+             if (createNew) {
+                 try (OutputStream os = Files.newOutputStream(zfpath, CREATE_NEW, WRITE)) {
+-                    new END().write(os, 0);
++                    new END().write(os, 0, forceEnd64);
+                 }
+             } else {
+                 throw new FileSystemNotFoundException(zfpath.toString());
+@@ -1014,28 +1016,36 @@ public class ZipFileSystem extends FileSystem {
+                     end.cenoff = ENDOFF(buf);
+                     end.comlen = ENDCOM(buf);
+                     end.endpos = pos + i;
+-                    if (end.cenlen == ZIP64_MINVAL ||
+-                        end.cenoff == ZIP64_MINVAL ||
+-                        end.centot == ZIP64_MINVAL32)
+-                    {
+-                        // need to find the zip64 end;
+-                        byte[] loc64 = new byte[ZIP64_LOCHDR];
+-                        if (readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
+-                            != loc64.length) {
+-                            return end;
+-                        }
+-                        long end64pos = ZIP64_LOCOFF(loc64);
+-                        byte[] end64buf = new byte[ZIP64_ENDHDR];
+-                        if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
+-                            != end64buf.length) {
+-                            return end;
+-                        }
+-                        // end64 found, re-calcualte everything.
+-                        end.cenlen = ZIP64_ENDSIZ(end64buf);
+-                        end.cenoff = ZIP64_ENDOFF(end64buf);
+-                        end.centot = (int)ZIP64_ENDTOT(end64buf); // assume total < 2g
+-                        end.endpos = end64pos;
++                    // try if there is zip64 end;
++                    byte[] loc64 = new byte[ZIP64_LOCHDR];
++                    if (end.endpos < ZIP64_LOCHDR ||
++                        readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
++                        != loc64.length ||
++                        !locator64SigAt(loc64, 0)) {
++                        return end;
++                    }
++                    long end64pos = ZIP64_LOCOFF(loc64);
++                    byte[] end64buf = new byte[ZIP64_ENDHDR];
++                    if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
++                        != end64buf.length ||
++                        !end64SigAt(end64buf, 0)) {
++                        return end;
++                    }
++                    // end64 found,
++                    long cenlen64 = ZIP64_ENDSIZ(end64buf);
++                    long cenoff64 = ZIP64_ENDOFF(end64buf);
++                    long centot64 = ZIP64_ENDTOT(end64buf);
++                    // double-check
++                    if (cenlen64 != end.cenlen && end.cenlen != ZIP64_MINVAL ||
++                        cenoff64 != end.cenoff && end.cenoff != ZIP64_MINVAL ||
++                        centot64 != end.centot && end.centot != ZIP64_MINVAL32) {
++                        return end;
+                     }
++                    // to use the end64 values
++                    end.cenlen = cenlen64;
++                    end.cenoff = cenoff64;
++                    end.centot = (int)centot64; // assume total < 2g
++                    end.endpos = end64pos;
+                     return end;
+                 }
+             }
+@@ -1201,7 +1211,7 @@ public class ZipFileSystem extends FileSystem {
+ 
+     // sync the zip file system, if there is any udpate
+     private void sync() throws IOException {
+-        //System.out.printf("->sync(%s) starting....!%n", toString());
++        // System.out.printf("->sync(%s) starting....!%n", toString());
+         // check ex-closer
+         if (!exChClosers.isEmpty()) {
+             for (ExChannelCloser ecc : exChClosers) {
+@@ -1292,7 +1302,7 @@ public class ZipFileSystem extends FileSystem {
+             }
+             end.centot = elist.size();
+             end.cenlen = written - end.cenoff;
+-            end.write(os, written);
++            end.write(os, written, forceEnd64);
+         }
+         if (!streams.isEmpty()) {
+             //
+@@ -1849,8 +1859,8 @@ public class ZipFileSystem extends FileSystem {
+         long endpos;
+         int disktot;
+ 
+-        void write(OutputStream os, long offset) throws IOException {
+-            boolean hasZip64 = false;
++        void write(OutputStream os, long offset, boolean forceEnd64) throws IOException {
++            boolean hasZip64 = forceEnd64; // false;
+             long xlen = cenlen;
+             long xoff = cenoff;
+             if (xlen >= ZIP64_MINVAL) {
+@@ -1875,8 +1885,8 @@ public class ZipFileSystem extends FileSystem {
+                 writeShort(os, 45);               // version needed to extract
+                 writeInt(os, 0);                  // number of this disk
+                 writeInt(os, 0);                  // central directory start disk
+-                writeLong(os, centot);            // number of directory entires on disk
+-                writeLong(os, centot);            // number of directory entires
++                writeLong(os, centot);            // number of directory entries on disk
++                writeLong(os, centot);            // number of directory entries
+                 writeLong(os, cenlen);            // length of central directory
+                 writeLong(os, cenoff);            // offset of central directory
+ 
+diff --git openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c openjdk/jdk/src/share/native/java/util/zip/zip_util.c
+index 5fd6fea049d..858e5814e92 100644
+--- openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c
++++ openjdk/jdk/src/share/native/java/util/zip/zip_util.c
+@@ -385,6 +385,9 @@ findEND64(jzfile *zip, void *end64buf, jlong endpos)
+ {
+     char loc64[ZIP64_LOCHDR];
+     jlong end64pos;
++    if (endpos < ZIP64_LOCHDR) {
++	return -1;
++    }
+     if (readFullyAt(zip->zfd, loc64, ZIP64_LOCHDR, endpos - ZIP64_LOCHDR) == -1) {
+         return -1;    // end64 locator not found
+     }
+@@ -567,6 +570,7 @@ readCEN(jzfile *zip, jint knownTotal)
+ {
+     /* Following are unsigned 32-bit */
+     jlong endpos, end64pos, cenpos, cenlen, cenoff;
++    jlong cenlen64, cenoff64, centot64;
+     /* Following are unsigned 16-bit */
+     jint total, tablelen, i, j;
+     unsigned char *cenbuf = NULL;
+@@ -594,13 +598,20 @@ readCEN(jzfile *zip, jint knownTotal)
+     cenlen = ENDSIZ(endbuf);
+     cenoff = ENDOFF(endbuf);
+     total  = ENDTOT(endbuf);
+-    if (cenlen == ZIP64_MAGICVAL || cenoff == ZIP64_MAGICVAL ||
+-        total == ZIP64_MAGICCOUNT) {
+-        unsigned char end64buf[ZIP64_ENDHDR];
+-        if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
+-            cenlen = ZIP64_ENDSIZ(end64buf);
+-            cenoff = ZIP64_ENDOFF(end64buf);
+-            total = (jint)ZIP64_ENDTOT(end64buf);
++    unsigned char end64buf[ZIP64_ENDHDR];
++    if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
++	// end64 candidate found,
++	cenlen64 = ZIP64_ENDSIZ(end64buf);
++	cenoff64 = ZIP64_ENDOFF(end64buf);
++	centot64 = ZIP64_ENDTOT(end64buf);
++	// double-check
++	if ((cenlen64 == cenlen || cenlen == ZIP64_MAGICVAL) &&
++	    (cenoff64 == cenoff || cenoff == ZIP64_MAGICVAL) &&
++	    (centot64 == total || total == ZIP64_MAGICCOUNT)) {
++	    // to use the end64 values
++            cenlen = cenlen64;
++            cenoff = cenoff64;
++            total = (jint)centot64;
+             endpos = end64pos;
+             endhdrlen = ZIP64_ENDHDR;
+         }
+diff --git openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
+index ffe8a8ed712..9b380003893 100644
+--- openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java
++++ openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
+@@ -22,7 +22,7 @@
+  */
+ 
+ /* @test
+- * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993
++ * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993 8186464
+  * @summary Make sure we can read a zip file.
+    @key randomness
+  * @run main/othervm ReadZip
+@@ -31,12 +31,24 @@
+  */
+ 
+ import java.io.*;
++import java.net.URI;
+ import java.nio.file.Files;
++import java.nio.file.FileSystem;
++import java.nio.file.FileSystems;
++import java.nio.file.Path;
+ import java.nio.file.Paths;
+ import java.nio.file.StandardCopyOption;
+ import java.nio.file.StandardOpenOption;
++import java.util.Collections;
++import java.util.HashMap;
++import java.util.List;
++import java.util.Map;
+ import java.util.zip.*;
+ 
++import sun.misc.IOUtils;
++
++import static java.nio.charset.StandardCharsets.US_ASCII;
++
+ public class ReadZip {
+     private static void unreached (Object o)
+         throws Exception
+@@ -144,8 +156,6 @@ public class ReadZip {
+             newZip.delete();
+         }
+ 
+-
+-
+         // Throw a FNF exception when read a non-existing zip file
+         try { unreached (new ZipFile(
+                              new File(System.getProperty("test.src", "."),
+@@ -153,5 +163,54 @@ public class ReadZip {
+                                       + String.valueOf(new java.util.Random().nextInt())
+                                       + ".zip")));
+         } catch (FileNotFoundException fnfe) {}
++
++        // read a zip file with ZIP64 end
++        Path path = Paths.get(System.getProperty("test.dir", ""), "end64.zip");
++        try {
++            URI uri = URI.create("jar:" + path.toUri());
++            Map<String, Object> env = new HashMap<>();
++	    env.put("create", "true");
++	    env.put("forceZIP64End", "true");
++            try (FileSystem fs = FileSystems.newFileSystem(uri, env)) {
++                Files.write(fs.getPath("hello"), "hello".getBytes());
++            }
++            try (ZipFile zf = new ZipFile(path.toFile())) {
++                if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("hello"))),
++                                               US_ASCII)))
++                    throw new RuntimeException("zipfile: read entry failed");
++            } catch (IOException x) {
++                throw new RuntimeException("zipfile: zip64 end failed");
++            }
++            try (FileSystem fs = FileSystems.newFileSystem(uri, Collections.emptyMap())) {
++                if (!"hello".equals(new String(Files.readAllBytes(fs.getPath("hello")))))
++                    throw new RuntimeException("zipfs: read entry failed");
++            } catch (IOException x) {
++                throw new RuntimeException("zipfile: zip64 end failed");
++            }
++        } finally {
++            Files.deleteIfExists(path);
++        }
++
++        // read a zip file created via "echo hello | zip dst.zip -", which uses
++        // ZIP64 end record
++        if (Files.notExists(Paths.get("/usr/bin/zip")))
++            return;
++        try {
++            Process zip = new ProcessBuilder("zip", path.toString().toString(), "-").start();
++            OutputStream os = zip.getOutputStream();
++            os.write("hello".getBytes(US_ASCII));
++            os.close();
++            zip.waitFor();
++            if (zip.exitValue() == 0 && Files.exists(path)) {
++                try (ZipFile zf = new ZipFile(path.toFile())) {
++                    if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("-"))))))
++                        throw new RuntimeException("zipfile: read entry failed");
++                } catch (IOException x) {
++                    throw new RuntimeException("zipfile: zip64 end failed");
++                }
++            }
++        } finally {
++            Files.deleteIfExists(path);
++        }
+     }
+ }

SOURCES/jdk8218811-perfMemory_linux.patch

@@ -1,12 +0,0 @@
-diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
---- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
-+++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
-@@ -878,7 +878,7 @@
- 
-   // open the file
-   int result;
--  RESTARTABLE(::open(filename, oflags), result);
-+  RESTARTABLE(::open(filename, oflags, 0), result);
-   if (result == OS_ERR) {
-     if (errno == ENOENT) {
-       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),

SOURCES/jdk8275535-rh2053256-ldap_auth.patch

@@ -1,26 +0,0 @@
-diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index cf4becb7db..4ab2ac0a31 100644
---- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-                     ctx = getLdapCtxFromUrl(
-                             r.getDomainName(), url, new LdapURL(u), env);
-                     return ctx;
-+                } catch (AuthenticationException e) {
-+                    // do not retry on a different endpoint to avoid blocking
-+                    // the user if authentication credentials are wrong.
-+                    throw e;
-                 } catch (NamingException e) {
-                     // try the next element
-                     lastException = e;
-@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-         for (String u : urls) {
-             try {
-                 return getUsingURL(u, env);
-+            } catch (AuthenticationException e) {
-+                // do not retry on a different URL to avoid blocking
-+                // the user if authentication credentials are wrong.
-+                throw e;
-             } catch (NamingException e) {
-                 ex = e;
-             }

SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch

@@ -7,10 +7,11 @@
 8074839: Resolve disabled warnings for libunpack and the unpack200 binary
 Reviewed-by: dholmes, ksrini
 
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-@@ -63,7 +63,7 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+index bdaf95a2f6a..60c5b4f2a69 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+@@ -63,7 +63,7 @@ struct bytes {
      bytes res;
      res.ptr = ptr + beg;
      res.len = end - beg;
@@ -19,10 +20,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openj
      return res;
    }
    // building C strings inside byte buffers:
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-@@ -292,7 +292,7 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+index 5fbc7261fb3..4c002e779d8 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
  
    if (uPtr->aborting()) {
      THROW_IOE(uPtr->get_abort_message());
@@ -31,16 +33,16 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openj
    }
  
    // We have fetched all the files.
-@@ -310,7 +310,7 @@
- JNIEXPORT jlong JNICALL
- Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
-   unpacker* uPtr = get_unpacker(env, pObj, false);
+@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
+   // There's no need to create a new unpacker here if we don't already have one
+   // just to immediatly free it afterwards.
+   unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
 -  CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
 +  CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
    size_t consumed = uPtr->input_consumed();
+   // free_unpacker() will set the unpacker field on 'pObj' to null
    free_unpacker(env, pObj, uPtr);
-   return consumed;
-@@ -320,6 +320,7 @@
+@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
  Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
                                         jstring pProp, jstring pValue) {
    unpacker*   uPtr  = get_unpacker(env, pObj);
@@ -48,10 +50,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openj
    const char* prop  = env->GetStringUTFChars(pProp, JNI_FALSE);
    CHECK_EXCEPTION_RETURN_VALUE(prop, false);
    const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-@@ -142,31 +142,28 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+index 6fbc43a18ae..722c8baaff0 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
    return progname;
  }
  
@@ -101,10 +104,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp open
    }
  }
  
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-@@ -222,9 +222,9 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+index a585535c513..8df3fade499 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -225,9 +225,9 @@ struct entry {
    }
  
  #ifdef PRODUCT
@@ -116,7 +120,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  #endif
  };
  
-@@ -715,13 +715,13 @@
+@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
    // Now we can size the whole archive.
    // Read everything else into a mega-buffer.
    rp = hdr.rp;
@@ -134,7 +138,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
        abort("EOF reading fixed input buffer");
        return;
      }
-@@ -735,7 +735,7 @@
+@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
        return;
      }
      input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@@ -143,7 +147,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
      CHECK;
      assert(input.limit()[0] == 0);
      // Move all the bytes we read initially into the real buffer.
-@@ -958,13 +958,13 @@
+@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
    nentries = next_entry;
  
    // place a limit on future CP growth:
@@ -159,18 +163,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  
    // Note that this CP does not include "empty" entries
    // for longs and doubles.  Those are introduced when
-@@ -982,8 +982,9 @@
-   }
- 
-   // Initialize *all* our entries once
--  for (int i = 0 ; i < maxentries ; i++)
-+  for (uint i = 0 ; i < maxentries ; i++) {
-     entries[i].outputIndex = REQUESTED_NONE;
-+  }
- 
-   initGroupIndexes();
-   // Initialize hashTab to a generous power-of-two size.
-@@ -3677,21 +3678,22 @@
+@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
  
  unpacker* debug_u;
  
@@ -197,7 +190,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
    case CONSTANT_Signature:
      if (value.b.ptr == null)
        return ref(0)->string();
-@@ -3711,26 +3713,28 @@
+@@ -3728,26 +3729,28 @@ char* entry::string() {
      break;
    default:
      if (nrefs == 0) {
@@ -235,10 +228,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  }
  
  void print_cp_entries(int beg, int end) {
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-@@ -209,7 +209,7 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+index 4ec595333c4..aad0c971ef2 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+@@ -209,7 +209,7 @@ struct unpacker {
    byte*     rp;          // read pointer (< rplimit <= input.limit())
    byte*     rplimit;     // how much of the input block has been read?
    julong    bytes_read;
@@ -247,10 +241,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h open
  
    // callback to read at least one byte, up to available input
    typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-@@ -81,7 +81,7 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+index da39a589545..1281d8b25c8 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+@@ -81,7 +81,7 @@ void breakpoint() { }  // hook for debugger
  int assert_failed(const char* p) {
    char message[1<<12];
    sprintf(message, "@assert failed: %s\n", p);
@@ -259,10 +254,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp ope
    breakpoint();
    unpack_abort(message);
    return 0;
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-@@ -84,7 +84,7 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+index f58c94956c0..343da3e183b 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
  }
  
  // Write data to the ZIP output stream.
@@ -271,7 +267,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openj
    while (len > 0) {
      int rc = (int)fwrite(buff, 1, len, jarfp);
      if (rc <= 0) {
-@@ -323,12 +323,12 @@
+@@ -323,12 +323,12 @@ void jar::write_central_directory() {
      // Total number of disks (int)
      header64[36] = (ushort)SWAP_BYTES(1);
      header64[37] = 0;
@@ -286,10 +282,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openj
  
    PRINTCR((2, "writing zip comment\n"));
    // Write the comment.
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-@@ -68,8 +68,8 @@
+diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+index 14ffc9d65bd..9877f6f68ca 100644
+--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
++++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+@@ -68,8 +68,8 @@ struct jar {
    }
  
    // Private Methods

SOURCES/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch

@@ -1,5 +1,5 @@
 diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-index e7b4763db53..e8ec8467e6a 100644
+index e7b4763db53..0005e56f528 100644
 --- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
 +++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
 @@ -31,6 +31,7 @@ import java.security.*;
@@ -19,16 +19,17 @@ index e7b4763db53..e8ec8467e6a 100644
       */
      private static final class TrustStoreDescriptor {
          private static final String fileSep = File.separator;
-@@ -76,7 +77,7 @@ final class TrustStoreManager {
+@@ -76,7 +77,8 @@ final class TrustStoreManager {
                  GetPropertyAction.privilegedGetProperty("java.home") +
                  fileSep + "lib" + fileSep + "security";
          private static final String defaultStore =
 -                defaultStorePath + fileSep + "cacerts";
-+            KeyStoreUtil.getCacertsKeyStoreFile().getPath();
++                AccessController.doPrivileged((PrivilegedAction<String>) () ->
++                        KeyStoreUtil.getCacertsKeyStorePath());
          private static final String jsseDefaultStore =
                  defaultStorePath + fileSep + "jssecacerts";
  
-@@ -139,6 +140,10 @@ final class TrustStoreManager {
+@@ -139,6 +141,10 @@ final class TrustStoreManager {
                      String storePropPassword = System.getProperty(
                              "javax.net.ssl.trustStorePassword", "");
  
@@ -39,117 +40,56 @@ index e7b4763db53..e8ec8467e6a 100644
                      String temporaryName = "";
                      File temporaryFile = null;
                      long temporaryTime = 0L;
-@@ -146,21 +151,22 @@ final class TrustStoreManager {
-                         String[] fileNames =
-                                 new String[] {storePropName, defaultStore};
-                         for (String fileName : fileNames) {
--                            File f = new File(fileName);
--                            if (f.isFile() && f.canRead()) {
--                                temporaryName = fileName;;
--                                temporaryFile = f;
--                                temporaryTime = f.lastModified();
--
--                                break;
--                            }
--
--                            // Not break, the file is inaccessible.
--                            if (SSLLogger.isOn &&
-+                            if (fileName != null && !"".equals(fileName)) {
-+                                File f = new File(fileName);
-+                                if (f.isFile() && f.canRead()) {
-+                                    temporaryName = fileName;;
-+                                    temporaryFile = f;
-+                                    temporaryTime = f.lastModified();
-+
-+                                    break;
-+                                }
-+                                // Not break, the file is inaccessible.
-+                                if (SSLLogger.isOn &&
+@@ -160,7 +166,7 @@ final class TrustStoreManager {
                                      SSLLogger.isOn("trustmanager")) {
--                                SSLLogger.fine(
--                                        "Inaccessible trust store: " +
+                                 SSLLogger.fine(
+                                         "Inaccessible trust store: " +
 -                                        storePropName);
-+                                    SSLLogger.fine(
-+                                            "Inaccessible trust store: " +
 +                                        fileName);
-+                                }
                              }
                          }
                      } else {
 diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-index fcc77786da1..f554f83a8b4 100644
+index fcc77786da1..3a4388964cc 100644
 --- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
 +++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
+@@ -41,6 +41,8 @@ import java.text.Collator;
+ import java.util.Locale;
+ import java.util.ResourceBundle;
  
- import java.net.URL;
- 
-+import java.security.AccessController;
- import java.security.KeyStore;
-+import java.security.PrivilegedAction;
-+import java.security.Security;
- 
- import java.security.cert.X509Certificate;
- import java.text.Collator;
-@@ -54,6 +57,33 @@ public class KeyStoreUtil {
++import sun.security.util.SecurityProperties;
++
+ /**
+  * <p> This class provides several utilities to <code>KeyStore</code>.
+  *
+@@ -54,6 +56,8 @@ public class KeyStoreUtil {
  
      private static final String JKS = "jks";
  
-+    private static final String PROP_NAME = "security.systemCACerts";
-+
-+    /**
-+     * Returns the value of the security property propName, which can be overridden
-+     * by a system property of the same name
-+     *
-+     * @param  propName the name of the system or security property
-+     * @return the value of the system or security property
-+     */
-+    @SuppressWarnings("removal")
-+    public static String privilegedGetOverridable(String propName) {
-+        if (System.getSecurityManager() == null) {
-+            return getOverridableProperty(propName);
-+        } else {
-+            return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
-+        }
-+    }
-+
-+    private static String getOverridableProperty(String propName) {
-+        String val = System.getProperty(propName);
-+        if (val == null) {
-+            return Security.getProperty(propName);
-+        } else {
-+            return val;
-+        }
-+    }
++    private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts";
 +
      /**
       * Returns true if the certificate is self-signed, false otherwise.
       */
-@@ -96,20 +126,38 @@ public class KeyStoreUtil {
+@@ -96,16 +100,30 @@ public class KeyStoreUtil {
          }
      }
  
 +    /**
 +     * Returns the path to the cacerts DB
 +     */
-+    public static File getCacertsKeyStoreFile()
++    public static String getCacertsKeyStorePath()
 +    {
++        // Check system DB first, preferring system property over security one
++        String systemDB = SecurityProperties
++                .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP);
++        if (systemDB != null && !"".equals(systemDB) &&
++                (new File(systemDB)).isFile()) {
++            return systemDB;
++        }
 +        String sep = File.separator;
-+        File file = null;
-+        /* Check system cacerts DB first, preferring system property over security property */
-+        String systemDB = privilegedGetOverridable(PROP_NAME);
-+        if (systemDB != null && !"".equals(systemDB)) {
-+            file = new File(systemDB);
-+        }
-+        if (file == null || !file.exists()) {
-+            file = new File(System.getProperty("java.home") + sep
-+                            + "lib" + sep + "security" + sep
-+                            + "cacerts");
-+        }
-+        if (file.exists()) {
-+            return file;
-+        }
-+        return null;
++        return System.getProperty("java.home") + sep
++                + "lib" + sep + "security" + sep + "cacerts";
 +    }
 +
      /**
@@ -162,27 +102,21 @@ index fcc77786da1..f554f83a8b4 100644
 -        File file = new File(System.getProperty("java.home") + sep
 -                             + "lib" + sep + "security" + sep
 -                             + "cacerts");
--        if (!file.exists()) {
--            return null;
--        }
-         KeyStore caks = null;
-+        File file = getCacertsKeyStoreFile();
-+        if (file == null) { return null; }
-         try (FileInputStream fis = new FileInputStream(file)) {
-             caks = KeyStore.getInstance(JKS);
-             caks.load(fis, null);
++        File file = new File(getCacertsKeyStorePath());
+         if (!file.exists()) {
+             return null;
+         }
 diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index bfe0c593adb..093bc09bf95 100644
+index 681a24b905d..ecb8bc43a6c 100644
 --- a/jdk/src/share/lib/security/java.security-aix
 +++ b/jdk/src/share/lib/security/java.security-aix
-@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
+@@ -294,6 +294,12 @@ security.overridePropertiesFile=true
  #
  security.useSystemPropertiesFile=false
  
 +#
 +# Specifies the system certificate store
-+# This property may be disabled using
-+# -Djava.security.disableSystemCACerts=true
++# This property may be disabled using an empty value
 +#
 +security.systemCACerts=${java.home}/lib/security/cacerts
 +
@@ -190,17 +124,16 @@ index bfe0c593adb..093bc09bf95 100644
  # Determines the default key and trust manager factory algorithms for
  # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index 9d1c8fe8a8e..16c9281cc1f 100644
+index 789c19a8cba..2546fdec9b2 100644
 --- a/jdk/src/share/lib/security/java.security-linux
 +++ b/jdk/src/share/lib/security/java.security-linux
-@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
+@@ -307,6 +307,12 @@ security.overridePropertiesFile=true
  #
  security.useSystemPropertiesFile=false
  
 +#
 +# Specifies the system certificate store
-+# This property may be disabled using
-+# -Djava.security.disableSystemCACerts=true
++# This property may be disabled using an empty value
 +#
 +security.systemCACerts=${java.home}/lib/security/cacerts
 +
@@ -208,17 +141,16 @@ index 9d1c8fe8a8e..16c9281cc1f 100644
  # Determines the default key and trust manager factory algorithms for
  # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index 19047c61097..43e034cdeaf 100644
+index d4da666af3b..1a20027c02b 100644
 --- a/jdk/src/share/lib/security/java.security-macosx
 +++ b/jdk/src/share/lib/security/java.security-macosx
-@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
  #
  security.useSystemPropertiesFile=false
  
 +#
 +# Specifies the system certificate store
-+# This property may be disabled using
-+# -Djava.security.disableSystemCACerts=true
++# This property may be disabled using an empty value
 +#
 +security.systemCACerts=${java.home}/lib/security/cacerts
 +
@@ -226,17 +158,16 @@ index 19047c61097..43e034cdeaf 100644
  # Determines the default key and trust manager factory algorithms for
  # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index 7eda556ae13..325937e97fb 100644
+index 300132384a1..6299e0a3c7b 100644
 --- a/jdk/src/share/lib/security/java.security-solaris
 +++ b/jdk/src/share/lib/security/java.security-solaris
-@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
+@@ -295,6 +295,12 @@ security.overridePropertiesFile=true
  #
  security.useSystemPropertiesFile=false
  
 +#
 +# Specifies the system certificate store
-+# This property may be disabled using
-+# -Djava.security.disableSystemCACerts=true
++# This property may be disabled using an empty value
 +#
 +security.systemCACerts=${java.home}/lib/security/cacerts
 +
@@ -244,17 +175,16 @@ index 7eda556ae13..325937e97fb 100644
  # Determines the default key and trust manager factory algorithms for
  # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index dfa1a669aa9..92ef777e065 100644
+index 64db5a5cd1e..823994f3466 100644
 --- a/jdk/src/share/lib/security/java.security-windows
 +++ b/jdk/src/share/lib/security/java.security-windows
-@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
  #
  security.useSystemPropertiesFile=false
  
 +#
 +# Specifies the system certificate store
-+# This property may be disabled using
-+# -Djava.security.disableSystemCACerts=true
++# This property may be disabled using an empty value
 +#
 +security.systemCACerts=${java.home}/lib/security/cacerts
 +

SOURCES/repack_reproducible_policies.sh

@@ -17,7 +17,7 @@ fi
 d=`mktemp -d`
 NW=$d/$f
   pushd $d
-    jar  xf   $ORIG
+    unzip $ORIG
     cat $M
 #    sed -i "s/Created-By.*/Created-By: 1.7.0/g"  $M
     sed -i "s/Created-By.*/Created-By: $2/g"  $M

SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch

@@ -0,0 +1,16 @@
+diff -uNr openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java jdk8/jdk/src/share/classes/java/awt/Toolkit.java
+--- openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java	2009-01-23 11:59:47.000000000 -0500
++++ jdk8/jdk/src/share/classes/java/awt/Toolkit.java	2009-01-23 12:05:20.000000000 -0500
+@@ -883,7 +883,11 @@
+                     return null;
+                 }
+             });
+-            loadAssistiveTechnologies();
++         try {
++                 loadAssistiveTechnologies();
++             } catch ( AWTError error) {
++                 // ignore silently
++             }
+         }
+         return toolkit;
+     }

SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch

@@ -0,0 +1,13 @@
+--- openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
++++ openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+ 
+     private final static String PROP_NAME = "sun.security.smartcardio.library";
+ 
+-    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+-    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+ 
+     PlatformPCSC() {

SOURCES/s390-8214206_fix.patch

@@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
    Atomic::add(val, &_sum);
  
 -  int mag = log2_intptr(val) + 1;
-+  int mag = log2_intptr((uintptr_t)val) + 1;
++  int mag = log2_long(val) + 1;
  
    // Defensively saturate for product bits:
    if (mag < 0) {