import java-11-openjdk-11.0.14.1.1-6.el8

2022-05-10 03:01:16 -04:00 · 2022-05-10 03:01:16 -04:00 · aaf8ffdea1
commit aaf8ffdea1
parent 785e294091
10 changed files with 723 additions and 498 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
+SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@ -1,2 +1,2 @@
-9d43605109c7a4c5cad6cef74e19efe42fb163f8 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
+dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@ -3,217 +3,6 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 New in release OpenJDK 11.0.15 (2022-04-19):
 =============================================
 Live versions of these release notes can be found at:
  * https://bitly.com/openjdk11015
  * https://builds.shipilev.net/backports-monitor/release-notes-11.0.15.txt
 * New features
  - JDK-8253795: Implementation of JEP 391: macOS/AArch64 Port
 * Security fixes
  - JDK-8269938: Enhance XML processing passes redux
  - JDK-8270504, CVE-2022-21426: Better XPath expression handling
  - JDK-8272255: Completely handle MIDI files
  - JDK-8272261: Improve JFR recording file processing
  - JDK-8272594: Better record of recordings
  - JDK-8274221: More definite BER encodings
  - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
  - JDK-8275151, CVE-2022-21443: Improved Object Identification
  - JDK-8277227: Better identification of OIDs
  - JDK-8277672, CVE-2022-21434: Better invocation handler handling
  - JDK-8278356: Improve file creation
  - JDK-8278449: Improve keychain support
  - JDK-8278798: Improve supported intrinsic
  - JDK-8278805: Enhance BMP image loading
  - JDK-8278972, CVE-2022-21496: Improve URL supports
  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
 * Other changes
  - JDK-8065704: Set LC_ALL=C for all relevant commands in the build system
  - JDK-8177814: jdk/editpad is not in jdk TEST.groups
  - JDK-8186780: clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment()
  - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
  - JDK-8193277: SimpleFileObject inconsistency between getName and getShortName
  - JDK-8199079: Test javax/swing/UIDefaults/6302464/bug6302464.java is unstable
  - JDK-8202142: jfr/event/io/TestInstrumentation is unstable
  - JDK-8207011: Remove uses of the register storage class specifier
  - JDK-8207793: [TESTBUG] runtime/Metaspace/FragmentMetaspace.java fails: heap needs to be increased
  - JDK-8208074: [TESTBUG] vmTestbase/nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption/TestDescription.java failed with NullPointerException
  - JDK-8210194: [TESTBUG] jvmti_FollowRefObjects.cpp missing initializer for member _jvmtiHeapCallbacks::heap_reference_callback
  - JDK-8210236: Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading
  - JDK-8211170: AArch64: Warnings in C1 and template interpreter
  - JDK-8211333: AArch64: Fix another build failure after JDK-8211029
  - JDK-8214004: Missing space between compiler thread name and task info in hs_err
  - JDK-8214026: Canonicalized archive paths appearing in diagnostics
  - JDK-8214761: Bug in parallel Kahan summation implementation
  - JDK-8216969: ParseException thrown for certain months with russian locale
  - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
  - JDK-8220634: SymLinkArchiveTest should handle not being able to create symlinks
  - JDK-8222825: ARM32 SIGILL issue on single core CPU (not supported PLDW instruction)
  - JDK-8223142: Clean-up WS and CB.
  - JDK-8225559: assertion error at TransTypes.visitApply
  - JDK-8232533: G1 uses only a single thread for pretouching the java heap
  - JDK-8233827: Enable screenshots in the enhanced failure handler on Linux/macOS
  - JDK-8233986: ProblemList javax/swing/plaf/basic/BasicTextUI/8001470/bug8001470.java for windows-x64
  - JDK-8234930: Use MAP_JIT when allocating pages for code cache on macOS
  - JDK-8236210: javac generates wrong annotation for fields generated from record components
  - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
  - JDK-8237787: rewrite vmTestbase/vm/compiler/CodeCacheInfo* from shell to java
  - JDK-8237798: rewrite vmTestbase/jit/tiered from shell to java
  - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
  - JDK-8240904: Screen flashes on test failures when running tests from make
  - JDK-8241004: NMT tests fail on unaligned thread size with debug build
  - JDK-8241423: NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default
  - JDK-8247272: SA ELF file support has never worked for 64-bit causing address to symbol name mapping to fail
  - JDK-8247515: OSX pc_to_symbol() lookup does not work with core files
  - JDK-8249019: clean up FileInstaller $test.src $cwd in vmTestbase_vm_compiler tests
  - JDK-8250750: JDK-8247515 fix for OSX pc_to_symbol() lookup fails with some symbols
  - JDK-8251126: nsk.share.GoldChecker should read golden file from ${test.src}
  - JDK-8251127: clean up FileInstaller $test.src $cwd in remaining vmTestbase_vm_compiler tests
  - JDK-8251132: make main classes public in vmTestbase/jit tests
  - JDK-8251558: J2DBench should support shaped and translucent windows
  - JDK-8251998: remove usage of PropertyResolvingWrapper in vmTestbase/jit/t
  - JDK-8252005: narrow disabling of allowSmartActionArgs in vmTestbase
  - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
  - JDK-8253816: Support macOS W^X
  - JDK-8253817: Support macOS Aarch64 ABI in Interpreter
  - JDK-8253818: Support macOS Aarch64 ABI for compiled wrappers
  - JDK-8253819: Implement os/cpu for macOS/AArch64
  - JDK-8253839: Update tests and JDK code for macOS/Aarch64
  - JDK-8254072: AArch64: Get rid of --disable-warnings-as-errors on Windows+ARM64 build
  - JDK-8254085: javax/swing/text/Caret/TestCaretPositionJTextPane.java failed with "RuntimeException:  Wrong caret position"
  - JDK-8254827: JVMCI: Enable it for Windows+AArch64
  - JDK-8254940: AArch64: Cleanup non-product thread members
  - JDK-8254941: Implement Serviceability Agent for macOS/AArch64
  - JDK-8255035: Update BCEL to Version 6.5.0
  - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
  - JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider
  - JDK-8255776: Change build system for macOS/AArch64
  - JDK-8256154: Some TestNG tests require default constructors
  - JDK-8256321: Some "inactive" color profiles use the wrong profile class
  - JDK-8256373: [Windows/HiDPI] The Frame#setBounds does not work in a minimized state
  - JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c
  - JDK-8257769: Cipher.getParameters() throws NPE for ChaCha20-Poly1305
  - JDK-8258554: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
  - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
  - JDK-8261205: AssertionError: Cannot add metadata to an intersection type
  - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
  - JDK-8262894: [macos_aarch64] SIGBUS in Assembler::ld_st2
  - JDK-8262896: [macos_aarch64] Crash in jni_fast_GetLongField
  - JDK-8262903: [macos_aarch64] Thread::current() called on detached thread
  - JDK-8263185: Mallinfo deprecated in glibc 2.33
  - JDK-8264650: Cross-compilation to macos/aarch64
  - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
  - JDK-8266168: -Wmaybe-uninitialized happens in check_code.c
  - JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp
  - JDK-8266171: -Warray-bounds happens in imageioJPEG.c
  - JDK-8266172: -Wstringop-overflow happens in vmError.cpp
  - JDK-8266173: -Wmaybe-uninitialized happens in jni_util.c
  - JDK-8266174: -Wmisleading-indentation happens in libmlib_image sources
  - JDK-8266176: -Wmaybe-uninitialized happens in libArrayIndexOutOfBoundsExceptionTest.c
  - JDK-8266187: Memory leak in appendBootClassPath()
  - JDK-8266421: Deadlock in Sound System
  - JDK-8266889: [macosx-aarch64] Crash with SIGBUS in MarkActivationClosure::do_code_blob during vmTestbase/nsk/jvmti/.../bi04t002 test run
  - JDK-8268014: Build failure on SUSE Linux Enterprise Server 11.4 (s390x) due to 'SYS_get_mempolicy' was not declared
  - JDK-8268542: serviceability/logging/TestFullNames.java tests only 1st test case
  - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
  - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
  - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
  - JDK-8272345: macos doesn't check `os::set_boot_path()` result
  - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
  - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
  - JDK-8273277: C2: Move conditional negation into rc_predicate
  - JDK-8273341: Update Siphash to version 1.0
  - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
  - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
  - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
  - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
  - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
  - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
  - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
  - JDK-8273682: Upgrade Jline to 3.20.0
  - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
  - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
  - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
  - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
  - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
  - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
  - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
  - JDK-8274658: ISO 4217 Amendment 170 Update
  - JDK-8274714: Incorrect verifier protected access error message
  - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
  - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
  - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
  - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
  - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
  - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
  - JDK-8275811: Incorrect instance to dispose
  - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
  - JDK-8276141: XPathFactory set/getProperty method
  - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
  - JDK-8276314: [JVMCI] check alignment of call displacement during code installation
  - JDK-8276623: JDK-8275650 accidentally pushed "out" file
  - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
  - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
  - JDK-8277385: Zero: Enable CompactStrings support
  - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
  - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
  - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
  - JDK-8277795: ldap connection timeout not honoured under contention
  - JDK-8277796: Bump update version for OpenJDK: jdk-11.0.15
  - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
  - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
  - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
  - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
  - JDK-8278309: [windows] use of uninitialized OSThread::_state
  - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
  - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
  - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
  - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
  - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
  - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
  - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
  - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
  - JDK-8279379: GHA: Print tests that are in error
  - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
  - JDK-8279702: [macosx] ignore xcodebuild warnings on M1
  - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
  - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
  - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
  - JDK-8280155: [PPC64, s390] frame size checks are not yet correct
  - JDK-8280414: Memory leak in DefaultProxySelector
  - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
  - JDK-8280786: Build failure on Solaris after 8262392
  - JDK-8280999: array_bounds should be array-bounds after 8278507
  - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
  - JDK-8281520: JFR: A wrong parameter is passed to the constructor of LeakKlassWriter
  - JDK-8281599: test/lib/jdk/test/lib/KnownOIDs.java is redundant since JDK-8268801
  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
  - JDK-8282372: [11] build issue on MacOS/aarch64 12.2.1 using Xcode 13.1: call to 'log2_intptr' is ambiguous
  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
  - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
  - JDK-8283018: 11u GHA: Update GCC 9 minor versions
  - JDK-8283270: [11u] broken JRT_ENTRY_NO_ASYNC after Backport of JDK-8253795
  - JDK-8283778: 11u GHA: Fix GCC 9 ubuntu package names
  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
 Notes on individual issues:
 ===========================
 security-libs/javax.crypto:pkcs11:
 JDK-8275737: SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library
 ==========================================================================================================================
 SunPKCS11 provider is enhanced to support the following crypto
 services and algorithms when the underlying PKCS11 library supports
 the corresponding PKCS#11 mechanisms:
 * ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
 * ChaCha20-Poly1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
 * ChaCha20-Poly1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
 * ChaCha20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
 New in release OpenJDK 11.0.14.1 (2022-02-08):
 =============================================
 Live versions of these release notes can be found at:
--- a/SOURCES/jdk8257794-remove_broken_assert.patch
+++ b/SOURCES/jdk8257794-remove_broken_assert.patch
@ -0,0 +1,12 @@
 diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
 index d18d70b5f9..30ab380e40 100644
 --- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
 +++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
 #ifdef ASSERT
   if (istate->_msg != initialize) {
     assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
 -    IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
   }
   // Verify linkages.
   interpreterState l = istate;
--- a/SOURCES/jdk8284920-incorrect_token_type.patch
+++ b/SOURCES/jdk8284920-incorrect_token_type.patch
@ -1,104 +0,0 @@
 From 34af291680f7554b16412205e7b47aa2f829b29c Mon Sep 17 00:00:00 2001
 From: Anton Kozlov <akozlov@azul.com>
 Date: Fri, 15 Apr 2022 14:07:52 +0300
 Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to
 return empty result
 Backport-of: 0d3aea2f11df585b491ae5c07de9f66679601d58
 Reviewed-by:
 ---
 .../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++--
 .../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++--
 .../org/apache/xpath/internal/compiler/XPathParser.java   | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)
 diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
 index b7b3f419eb2..41b58da8e99 100644
 --- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
 +++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -360,7 +360,7 @@ class Lexer
         addToTokenQueue(pat.substring(i, i + 1));
         break;
 -      case Token.COLON :
 +      case Token.COLON_CHAR:
         if (i>0)
         {
           if (posOfNSSep == (i - 1))
@@ -615,7 +615,7 @@ class Lexer
         resetTokenMark(tokPos + 1);
       }
 -      if (m_processor.lookahead(Token.COLON, 1))
 +      if (m_processor.lookahead(Token.COLON_CHAR, 1))
       {
         tokPos += 2;
       }
 diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
 index 8c4fee146c6..7bce14e5770 100644
 --- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
 +++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
@@ -45,10 +45,9 @@ public final class Token {
     static final char LPAREN = '(';
     static final char RPAREN = ')';
     static final char COMMA = ',';
 -    static final char DOT = '.';
     static final char AT = '@';
     static final char US = '_';
 -    static final char COLON = ':';
 +    static final char COLON_CHAR = ':';
     static final char SQ = '\'';
     static final char DQ = '"';
     static final char DOLLAR = '$';
@@ -58,6 +57,7 @@ public final class Token {
     static final String DIV = "div";
     static final String MOD = "mod";
     static final String QUO = "quo";
 +    static final String DOT = ".";
     static final String DDOT = "..";
     static final String DCOLON = "::";
     static final String ATTR = "attribute";
 diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
 index c3f9e1494be..22192fd06f6 100644
 --- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
 +++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
@@ -1413,7 +1413,7 @@ public class XPathParser
       matchFound = true;
     }
 -    else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3)))
 +    else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3)))
     {
       matchFound = FunctionCall();
     }
@@ -1457,7 +1457,7 @@ public class XPathParser
     int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH);
 -    if (lookahead(Token.COLON, 1))
 +    if (lookahead(Token.COLON_CHAR, 1))
     {
       appendOp(4, OpCodes.OP_EXTFUNCTION);
@@ -1841,7 +1841,7 @@ public class XPathParser
       m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME);
       m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
 -      if (lookahead(Token.COLON, 1))
 +      if (lookahead(Token.COLON_CHAR, 1))
       {
         if (tokenIs(Token.STAR))
         {
@@ -1944,7 +1944,7 @@ public class XPathParser
   protected void QName() throws TransformerException
   {
     // Namespace
 -    if(lookahead(Token.COLON, 1))
 +    if(lookahead(Token.COLON_CHAR, 1))
     {
       m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1);
       m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
 -- 
 2.34.1
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@ -1,6 +1,6 @@
 name = NSS-FIPS
 nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = @NSS_SECMOD@
+nssSecmodDirectory = sql:/etc/pki/nssdb
 nssDbMode = readOnly
 nssModule = fips
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@ -1,3 +1,9 @@
 commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
 Author: Martin Balao <mbalao@redhat.com>
 Date:   Fri Aug 27 19:42:07 2021 +0100
    RH1996182: Login to the NSS Software Token in FIPS Mode
 diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
 index 5460efcf8c..f08dc2fafc 100644
 --- openjdk.orig/src/java.base/share/classes/module-info.java
@ -11,11 +17,11 @@ index 5460efcf8c..f08dc2fafc 100644
         jdk.attach,
         jdk.charsets,
 diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 099caac605..ffadb43eb1 100644
+index 5e227f4531..164de8ff08 100644
 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
+@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+ import javax.security.auth.callback.PasswordCallback;
 import jdk.internal.misc.InnocuousThread;
 +import jdk.internal.misc.SharedSecrets;
@ -23,7 +29,7 @@ index 099caac605..ffadb43eb1 100644
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
  */
 public final class SunPKCS11 extends AuthProvider {
@ -33,7 +39,7 @@ index 099caac605..ffadb43eb1 100644
     private static final long serialVersionUID = -1354835039035306505L;
     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
@ -0,0 +1,99 @@
 commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
 Author: Andrew Hughes <gnu.andrew@redhat.com>
 Date:   Tue Jan 18 02:09:27 2022 +0000
    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
 diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
 index 28ab1846173..f9726741afd 100644
 --- openjdk.orig/src/java.base/share/classes/java/security/Security.java
 +++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
     private static final Debug sdebug =
                         Debug.getInstance("properties");
 -    /* System property file*/
 -    private static final String SYSTEM_PROPERTIES =
 -        "/etc/crypto-policies/back-ends/java.config";
 -
     /* The java.security properties */
     private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
             }
         }
 +        if (!loadedProps) {
 +            initializeStatic();
 +            if (sdebug != null) {
 +                sdebug.println("unable to load security properties " +
 +                        "-- using defaults");
 +            }
 +        }
 +
         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
         if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
             "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
 -            if (SystemConfigurator.configure(props)) {
 -                loadedProps = true;
 +            if (!SystemConfigurator.configureSysProps(props)) {
 +                if (sdebug != null) {
 +                    sdebug.println("WARNING: System properties could not be loaded.");
 +                }
             }
         }
 -        if (!loadedProps) {
 -            initializeStatic();
 +        // FIPS support depends on the contents of java.security so
 +        // ensure it has loaded first
 +        if (loadedProps) {
 +            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
             if (sdebug != null) {
 -                sdebug.println("unable to load security properties " +
 -                        "-- using defaults");
 +                if (fipsEnabled) {
 +                    sdebug.println("FIPS support enabled.");
 +                } else {
 +                    sdebug.println("FIPS support disabled.");
 +                }
             }
         }
 -
     }
     /*
 diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 index 874c6221ebe..b7ed41acf0f 100644
 --- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
      * java.security.disableSystemPropertiesFile property is not set and
      * security.useSystemPropertiesFile is true.
      */
 -    static boolean configure(Properties props) {
 +    static boolean configureSysProps(Properties props) {
         boolean loadedProps = false;
         try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
                 e.printStackTrace();
             }
         }
 +        return loadedProps;
 +    }
 +
 +    /*
 +     * Invoked at the end of java.security.Security initialisation
 +     * if java.security properties have been loaded
 +     */
 +    static boolean configureFIPS(Properties props) {
 +        boolean loadedProps = false;
         try {
             if (enableFips()) {
                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }
 -                loadedProps = false;
                 // Remove all security providers
                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
                 while (i.hasNext()) {
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
@ -0,0 +1,220 @@
 commit e2be09f982af1cc05f5e6556d51900bca4757416
 Author: Andrew Hughes <gnu.andrew@redhat.com>
 Date:   Mon Feb 28 05:30:32 2022 +0000
    RH2051605: Detect NSS at Runtime for FIPS detection
 diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 index 34d0ff0ce91..8dcb7d9073f 100644
 --- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
 +++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,25 +23,99 @@
  * questions.
  */
 -#include <dlfcn.h>
 #include <jni.h>
 #include <jni_util.h>
 +#include "jvm_md.h"
 #include <stdio.h>
 #ifdef SYSCONF_NSS
 #include <nss3/pk11pub.h>
 +#else
 +#include <dlfcn.h>
 #endif //SYSCONF_NSS
 #include "java_security_SystemConfigurator.h"
 +#define MSG_MAX_SIZE 256
 #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
 -#define MSG_MAX_SIZE 96
 +typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
 +
 +static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
 static jmethodID debugPrintlnMethodID = NULL;
 static jobject debugObj = NULL;
 -static void throwIOException(JNIEnv *env, const char *msg);
 -static void dbgPrint(JNIEnv *env, const char* msg);
 +static void dbgPrint(JNIEnv *env, const char* msg)
 +{
 +    jstring jMsg;
 +    if (debugObj != NULL) {
 +        jMsg = (*env)->NewStringUTF(env, msg);
 +        CHECK_NULL(jMsg);
 +        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
 +    }
 +}
 +
 +static void throwIOException(JNIEnv *env, const char *msg)
 +{
 +    jclass cls = (*env)->FindClass(env, "java/io/IOException");
 +    if (cls != 0)
 +        (*env)->ThrowNew(env, cls, msg);
 +}
 +
 +static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
 +{
 +  if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 +    dbgPrint(env, msg);
 +  } else {
 +    dbgPrint(env, "systemconf: cannot render message");
 +  }
 +}
 +
 +// Only used when NSS is not linked at build time
 +#ifndef SYSCONF_NSS
 +
 +static void *nss_handle;
 +
 +static jboolean loadNSS(JNIEnv *env)
 +{
 +  char msg[MSG_MAX_SIZE];
 +  int msg_bytes;
 +  const char* errmsg;
 +
 +  nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
 +  if (nss_handle == NULL) {
 +    errmsg = dlerror();
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +    return JNI_FALSE;
 +  }
 +  dlerror(); /* Clear errors */
 +  getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
 +  if ((errmsg = dlerror()) != NULL) {
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +    return JNI_FALSE;
 +  }
 +  return JNI_TRUE;
 +}
 +
 +static void closeNSS(JNIEnv *env)
 +{
 +  char msg[MSG_MAX_SIZE];
 +  int msg_bytes;
 +  const char* errmsg;
 +
 +  if (dlclose(nss_handle) != 0) {
 +    errmsg = dlerror();
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +  }
 +}
 +
 +#endif
 /*
  * Class:     java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
         debugObj = (*env)->NewGlobalRef(env, debugObj);
     }
 +#ifdef SYSCONF_NSS
 +    getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
 +#else
 +    if (loadNSS(env) == JNI_FALSE) {
 +      dbgPrint(env, "libsystemconf: Failed to load NSS library.");
 +    }
 +#endif
 +
     return (*env)->GetVersion(env);
 }
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
         if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
             return; /* Should not happen */
         }
 +#ifndef SYSCONF_NSS
 +        closeNSS(env);
 +#endif
         (*env)->DeleteGlobalRef(env, debugObj);
     }
 }
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
     char msg[MSG_MAX_SIZE];
     int msg_bytes;
 -#ifdef SYSCONF_NSS
 -
 -    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
 -    fips_enabled = SECMOD_GetSystemFIPSEnabled();
 -    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 -            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
 -    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 -        dbgPrint(env, msg);
 +    if (getSystemFIPSEnabled != NULL) {
 +      dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
 +      fips_enabled = (*getSystemFIPSEnabled)();
 +      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
 +                           " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
 +      handle_msg(env, msg, msg_bytes);
 +      return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
     } else {
 -        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 -                " SECMOD_GetSystemFIPSEnabled return value");
 -    }
 -    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
 -
 -#else // SYSCONF_NSS
 +      FILE *fe;
 -    FILE *fe;
 -
 -    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 -    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
 +      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 +      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
         return JNI_FALSE;
 -    }
 -    fips_enabled = fgetc(fe);
 -    fclose(fe);
 -    if (fips_enabled == EOF) {
 +      }
 +      fips_enabled = fgetc(fe);
 +      fclose(fe);
 +      if (fips_enabled == EOF) {
         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
         return JNI_FALSE;
 -    }
 -    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 -            " read character is '%c'", fips_enabled);
 -    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 -        dbgPrint(env, msg);
 -    } else {
 -        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 -                " read character");
 -    }
 -    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
 -
 -#endif // SYSCONF_NSS
 -}
 -
 -static void throwIOException(JNIEnv *env, const char *msg)
 -{
 -    jclass cls = (*env)->FindClass(env, "java/io/IOException");
 -    if (cls != 0)
 -        (*env)->ThrowNew(env, cls, msg);
 -}
 -
 -static void dbgPrint(JNIEnv *env, const char* msg)
 -{
 -    jstring jMsg;
 -    if (debugObj != NULL) {
 -        jMsg = (*env)->NewStringUTF(env, msg);
 -        CHECK_NULL(jMsg);
 -        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
 +      }
 +      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
 +                           " read character is '%c'", fips_enabled);
 +      handle_msg(env, msg, msg_bytes);
 +      return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
     }
 }
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@ -23,6 +23,8 @@
 %bcond_without staticlibs
 # Remove build artifacts by default
 %bcond_with artifacts
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@ -32,6 +34,13 @@
 %global include_staticlibs 0
 %endif
 # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
 %if %{with fresh_libjvm}
 %global build_hotspot_first 1
 %else
 %global build_hotspot_first 0
 %endif
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -76,7 +85,7 @@
 # in alternatives those are slaves and master, very often triplicated by man pages
 # in files all masters and slaves are ghosted
 # the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
-# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ 
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
 # TODO - fix those hardcoded lists via single list
 # Those files must *NOT* be ghosted for *slowdebug* packages
 # FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@ -102,7 +111,9 @@
 # Set of architectures for which we build fastdebug builds
 %global fastdebug_arches x86_64 ppc64le aarch64
 # Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches      %{debug_arches} %{arm}
+%global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
 # Set of architectures which use the Zero assembler port (!jit_arches)
 %global zero_arches ppc s390
 # Set of architectures which run a full bootstrap cycle
 %global bootstrap_arches %{jit_arches}
 # Set of architectures which support SystemTap tapsets
@ -121,6 +132,8 @@
 %global zgc_arches x86_64
 # Set of architectures for which alt-java has SSB mitigation
 %global ssbd_arches x86_64
 # Set of architectures where we verify backtraces with gdb
 %global gdb_arches %{jit_arches} %{zero_arches}
 # By default, we build a slowdebug build during main build on JIT architectures
 %if %{with slowdebug}
@ -174,7 +187,7 @@
 %global fastdebug_build %{nil}
 %endif
-# If you disable both builds, then the build fails
+# If you disable all builds, then the build fails
 # Build and test slowdebug first as it provides the best diagnostics
 %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@ -208,6 +221,11 @@
 %global release_targets images docs-zip
 # No docs nor bootcycle for debug builds
 %global debug_targets images
 # Target to use to just build HotSpot
 %global hotspot_target hotspot
 # JDK to use for bootstrapping
 %global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
 # Disable LTO as this causes build failures at the moment.
 # See RHBZ#1861401
@ -297,8 +315,8 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 15
+%global updatever 14
-%global patchver 0
+%global patchver 1
 # If you bump featurever, you must bump also vendor_version_string
 # Used via new version scheme. JDK 11 was
 # GA'ed in September 2018 => 18.9
@ -344,8 +362,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        1
-%global rpmrelease      2
+%global rpmrelease      6
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -443,6 +461,9 @@
 %global alternatives_requires %{_sbindir}/alternatives
 %endif
 %global family %{name}.%{_arch}
 %global family_noarch  %{name}
 %if %{with_systemtap}
 # Where to install systemtap tapset (links)
 # We would like these to be in a package specific sub-dir,
@ -460,6 +481,50 @@
 # not-duplicated scriptlets for normal/debug packages
 %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %define save_alternatives() %{expand:
  # warning! alternatives are localised!
  # LANG=cs_CZ.UTF-8  alternatives --display java | head
  # LANG=en_US.UTF-8  alternatives --display java | head
  function nonLocalisedAlternativesDisplayOfMaster() {
    LANG=en_US.UTF-8 alternatives --display "$MASTER"
  }
  function headOfAbove() {
    nonLocalisedAlternativesDisplayOfMaster | head -n $1
  }
  MASTER="%{?1}"
  LOCAL_LINK="%{?2}"
  FAMILY="%{?3}"
  rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
  if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
      if headOfAbove 1 | grep -q manual ; then
        if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
           headOfAbove 2  > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
        fi
      fi
  fi
 }
 %define save_and_remove_alternatives() %{expand:
  if [ "x$debug"  == "xtrue" ] ; then
    set -x
  fi
  upgrade1_uninstal0=%{?3}
  if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
    %{save_alternatives %{?1} %{?2} %{?4}}
  fi
  alternatives --remove  "%{?1}" "%{?2}"
 }
 %define set_if_needed_alternatives() %{expand:
  MASTER="%{?1}"
  FAMILY="%{?2}"
  ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
  if [ -e  "$ALTERNATIVES_FILE" ] ; then
    rm "$ALTERNATIVES_FILE"
    alternatives --set $MASTER $FAMILY
  fi
 }
 %define post_script() %{expand:
 update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -467,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
 exit 0
 }
-
+%define alternatives_java_install() %{expand:
-%define post_headless() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
-%ifarch %{share_arches}
+  set -x
-%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+fi
 %endif
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi
 ext=.gz
 key=java
 alternatives \\
-  --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY  --family %{name}.%{_arch} \\
+  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
  --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@ -506,12 +570,23 @@ alternatives \\
  --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
  %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
 %{set_if_needed_alternatives $key %{family}}
 for X in %{origin} %{javaver} ; do
-  alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+  key=jre_"$X"
  alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
  %{set_if_needed_alternatives $key %{family}}
 done
-update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+key=jre_%{javaver}_%{origin}
 alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{family}
 %{set_if_needed_alternatives $key %{family}}
 }
 %define post_headless() %{expand:
 %ifarch %{share_arches}
 %{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
 %endif
 update-desktop-database %{_datadir}/applications &> /dev/null || :
 /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -538,26 +613,34 @@ exit 0
 %define postun_headless() %{expand:
-  alternatives --remove java %{jrebindir -- %{?1}}/java
+  if [ "x$debug"  == "xtrue" ] ; then
-  alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+    set -x
-  alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+  fi
-  alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
  %{save_and_remove_alternatives  java  %{jrebindir -- %{?1}}/java $post_state %{family}}
  %{save_and_remove_alternatives  jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
  %{save_and_remove_alternatives  jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
  %{save_and_remove_alternatives  jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
 }
 %define posttrans_script() %{expand:
 %{update_desktop_icons}
 }
 %define post_devel() %{expand:
 %define alternatives_javac_install() %{expand:
 if [ "x$debug"  == "xtrue" ] ; then
  set -x
 fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi
 ext=.gz
 key=javac
 alternatives \\
-  --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{name}.%{_arch} \\
+  --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
 %ifarch %{aot_arches}
  --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\
@ -565,7 +648,9 @@ alternatives \\
  --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
  --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
 %endif
 %endif
  --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
@ -623,15 +708,22 @@ alternatives \\
  --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\
  %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\
  --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
-  %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\
+  %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
 %{set_if_needed_alternatives  $key %{family}}
 for X in %{origin} %{javaver} ; do
-  alternatives \\
+  key=java_sdk_"$X"
-    --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+  alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
  %{set_if_needed_alternatives  $key %{family}}
 done
-update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+key=java_sdk_%{javaver}_%{origin}
 alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
 %{set_if_needed_alternatives  $key %{family}}
 }
 %define post_devel() %{expand:
 update-desktop-database %{_datadir}/applications &> /dev/null || :
 /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -639,10 +731,14 @@ exit 0
 }
 %define postun_devel() %{expand:
-  alternatives --remove javac %{sdkbindir -- %{?1}}/javac
+  if [ "x$debug"  == "xtrue" ] ; then
-  alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+    set -x
-  alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+  fi
-  alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
  %{save_and_remove_alternatives  javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
  %{save_and_remove_alternatives  java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
  %{save_and_remove_alternatives  java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
  %{save_and_remove_alternatives  java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
 update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -654,42 +750,54 @@ exit 0
 }
 %define posttrans_devel() %{expand:
 %{alternatives_javac_install --  %{?1}}
 %{update_desktop_icons}
 }
-%define post_javadoc() %{expand:
+%define alternatives_javadoc_install() %{expand:
-
+if [ "x$debug"  == "xtrue" ] ; then
  set -x
 fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi
-alternatives \\
+key=javadocdir
-  --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY  --family %{family_noarch}
-  $PRIORITY  --family %{name}
+%{set_if_needed_alternatives  $key %{family_noarch}}
 exit 0
 }
 %define postun_javadoc() %{expand:
-  alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+if [ "x$debug"  == "xtrue" ] ; then
  set -x
 fi
  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
  %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
 exit 0
 }
-%define post_javadoc_zip() %{expand:
+%define alternatives_javadoczip_install() %{expand:
-
+if [ "x$debug"  == "xtrue" ] ; then
  set -x
 fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi
-
+key=javadoczip
-alternatives \\
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
-  --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
+%{set_if_needed_alternatives  $key %{family_noarch}}
  $PRIORITY  --family %{name}
 exit 0
 }
 %define postun_javadoc_zip() %{expand:
-  alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+  if [ "x$debug"  == "xtrue" ] ; then
    set -x
  fi
  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
  %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
 exit 0
 }
@ -760,8 +868,10 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
 # Some architectures don't have the serviceability agent
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
 %endif
 %endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
@ -855,8 +965,10 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
 # Some architectures don't have the serviceability agent
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
 %endif
 %endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
@ -1015,8 +1127,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2021a required as of JDK-8260356 in April 2021 CPU
+# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021a
+Requires: tzdata-java >= 2021e
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@ -1029,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs
 %endif
 # for printing support
 Requires: cups-libs
 # for FIPS PKCS11 provider
 Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@ -1111,10 +1225,10 @@ Requires(post):   %{alternatives_requires}
 Requires(postun): %{alternatives_requires}
 # Standard JPackage javadoc provides
-Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
 %if %is_system_jdk
-Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
 %endif
 }
@ -1241,6 +1355,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch
 # RH2021263: Resolve outstanding FIPS issues
 Patch1014: rh2021263-fips_ensure_security_initialised.patch
 Patch1015: rh2021263-fips_missing_native_returns.patch
 # RH2052819: Fix FIPS reliance on crypto policies
 Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
 # RH2052829: Detect NSS at Runtime for FIPS detection
 Patch1017: rh2052829-fips_runtime_nss_detection.patch
 #############################################
 #
@ -1269,15 +1387,25 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch
 #############################################
 #
-# Patches appearing in 11.0.15
+# Backportable patches
 #
 # This section includes patches which are
 # present in the current development tree, but
 # need to be reviewed & pushed to the appropriate
 # updates tree of OpenJDK.
 #############################################
 # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
 Patch101: jdk8257794-remove_broken_assert.patch
 #############################################
 #
 # Patches appearing in 11.0.13
 #
 # This section includes patches which are present
 # in the listed OpenJDK 11u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
 # JDK-8284920: Incorrect Token type causes XPath expression to return empty result
 Patch9: jdk8284920-incorrect_token_type.patch
 BuildRequires: autoconf
 BuildRequires: automake
@ -1304,8 +1432,8 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
+# Requirement for setting up nss.cfg and nss.fips.cfg
-BuildRequires: nss-devel >= 3.53
+BuildRequires: nss-devel
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
@ -1313,11 +1441,11 @@ BuildRequires: unzip
 BuildRequires: javapackages-filesystem
 BuildRequires: java-%{buildjdkver}-openjdk-devel
 # Zero-assembler build requirement
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2021a required as of JDK-8260356 in April 2021 CPU
+# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021a
+BuildRequires: tzdata-java >= 2021e
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
@ -1599,7 +1727,7 @@ Group:   Documentation
 Requires: javapackages-filesystem
 Obsoletes: javadoc-debug
-%{java_javadoc_rpo %{nil}}
+%{java_javadoc_rpo -- %{nil} %{nil}}
 %description javadoc
 The %{origin_nice} %{featurever} API documentation.
@ -1612,7 +1740,8 @@ Group:   Documentation
 Requires: javapackages-filesystem
 Obsoletes: javadoc-zip-debug
-%{java_javadoc_rpo %{nil}}
+%{java_javadoc_rpo -- %{nil} -zip}
 %{java_javadoc_rpo -- %{nil} %{nil}}
 %description javadoc-zip
 The %{origin_nice} %{featurever} API documentation compressed in a single archive.
@ -1668,9 +1797,10 @@ pushd %{top_level_dir_name}
 %patch3 -p1
 %patch4 -p1
 %patch7 -p1
 %patch9 -p1
 popd # openjdk
 %patch101
 %patch1000
 %patch600
 %patch1001
@ -1683,6 +1813,8 @@ popd # openjdk
 %patch1011
 %patch1014
 %patch1015
 %patch1016
 %patch1017
 %patch8
@ -1737,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 # Setup nss.fips.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
 %build
 # How many CPU's do we have?
@ -1764,17 +1895,21 @@ EXTRA_CPP_FLAGS="%ourcppflags"
 # fix rpmlint warnings
 EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
 %endif
 %ifarch %{ix86}
 # Align stack boundary on x86_32
 EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 %endif
 # Fixes annocheck warnings in assembler files due to missing build notes
 EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
-export EXTRA_CFLAGS EXTRA_ASFLAGS
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS
 function buildjdk() {
    local outputdir=${1}
-    local installdir=${2}
+    local buildjdk=${2}
-    local buildjdk=${3}
+    local maketargets="${3}"
-    local maketargets="${4}"
+    local debuglevel=${4}
-    local debuglevel=${5}
+    local link_opt=${5}
    local link_opt=${6}
    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
    local top_dir_abs_build_path=$(pwd)/${outputdir}
@ -1787,11 +1922,11 @@ function buildjdk() {
    echo "Using link_opt: ${link_opt}"
    echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
-    mkdir -p ${outputdir} ${installdir}
+    mkdir -p ${outputdir}
    pushd ${outputdir}
    bash ${top_dir_abs_src_path}/configure \
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
    --with-jvm-variants=zero \
 %endif
 %ifarch %{ppc64le}
@ -1808,7 +1943,7 @@ function buildjdk() {
    --with-boot-jdk=${buildjdk} \
    --with-debug-level=${debuglevel} \
    --with-native-debug-symbols="%{debug_symbols}" \
-    --enable-sysconf-nss \
+    --disable-sysconf-nss \
    --enable-unlimited-crypto \
    --with-zlib=system \
    --with-libjpeg=${link_opt} \
@ -1836,8 +1971,15 @@ function buildjdk() {
      $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
    popd
 }
 function installjdk() {
    local outputdir=${1}
    local installdir=${2}
    local imagepath=${installdir}/images/%{jdkimage}
    echo "Installing build from ${outputdir} to ${installdir}..."
    mkdir -p ${installdir}
    echo "Installing images..."
    mv ${outputdir}/images ${installdir}
    if [ -d ${outputdir}/bundles ] ; then
@ -1853,11 +1995,8 @@ function buildjdk() {
    echo "Removing output directory...";
    rm -rf ${outputdir}
 %endif
 }
 function installjdk() {
    local imagepath=${1}
    if [ -d ${imagepath} ] ; then
 	# the build (erroneously) removes read permissions from some jars
 	# this is a regression in OpenJDK 7 (our compiler):
 	# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
@ -1884,8 +2023,19 @@ function installjdk() {
 	echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
 	cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
 	popd
    fi
 }
 %if %{build_hotspot_first}
  # Build a fresh libjvm.so first and use it to bootstrap
  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
  systemjdk=$(pwd)/newboot
  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
 %else
  systemjdk=%{bootjdk}
 %endif
 for suffix in %{build_loop} ; do
  if [ "x$suffix" = "x" ] ; then
@ -1895,7 +2045,6 @@ for suffix in %{build_loop} ; do
      debugbuild=`echo $suffix  | sed "s/-//g"`
  fi
  systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
  for loop in %{main_suffix} %{staticlibs_loop} ; do
@ -1922,11 +2071,14 @@ for suffix in %{build_loop} ; do
        run_bootstrap=%{bootstrap_build}
      fi
      if ${run_bootstrap} ; then
-         buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+          buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
-         buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+          installjdk ${bootbuilddir} ${bootinstalldir}
          buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
          installjdk ${builddir} ${installdir}
          %{!?with_artifacts:rm -rf ${bootinstalldir}}
      else
-        buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+          buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
          installjdk ${builddir} ${installdir}
      fi
      # Restore original source tree we modified by removing full in-tree sources
      rm -rf %{top_level_dir_name}
@ -1937,15 +2089,12 @@ for suffix in %{build_loop} ; do
      # Static library cycle only builds the static libraries
      maketargets="%{static_libs_target}"
      # Always just do the one build for the static libraries
-      buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
      installjdk ${builddir} ${installdir}
    fi
  done # end of main / staticlibs loop
  # Final setup on the main image
  top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
  installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
 # build cycles
 done # end of release / debug cycle loop
@ -2054,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
 handle SIGSEGV pass nostop noprint
 handle SIGILL pass nostop noprint
 set breakpoint pending on
-break javaCalls.cpp:1
+break javaCalls.cpp:58
 commands 1
 backtrace
 quit
 end
 run -version
 EOF
-%if 0%{?fedora} > 0
+%ifarch %{gdb_arches}
 # This fails on s390x for some reason. Disable for now. See:
 # https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
 %ifnarch s390x
 grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
 %endif
 %endif
 # Check src.zip has all sources. See RHBZ#1130490
 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
@ -2294,6 +2439,9 @@ end
 %posttrans
 %{posttrans_script %{nil}}
 %posttrans headless
 %{alternatives_java_install %{nil}}
 %post devel
 %{post_devel %{nil}}
@ -2303,14 +2451,14 @@ end
 %posttrans  devel
 %{posttrans_devel %{nil}}
-%post javadoc
+%posttrans javadoc
-%{post_javadoc %{nil}}
+%{alternatives_javadoc_install %{nil}}
 %postun javadoc
 %{postun_javadoc %{nil}}
-%post javadoc-zip
+%posttrans javadoc-zip
-%{post_javadoc_zip %{nil}}
+%{alternatives_javadoczip_install %{nil}}
 %postun javadoc-zip
 %{postun_javadoc_zip %{nil}}
@ -2323,6 +2471,9 @@ end
 %post headless-slowdebug
 %{post_headless -- %{debug_suffix_unquoted}}
 %posttrans headless-slowdebug
 %{alternatives_java_install -- %{debug_suffix_unquoted}}
 %postun slowdebug
 %{postun_script -- %{debug_suffix_unquoted}}
@ -2358,6 +2509,9 @@ end
 %posttrans fastdebug
 %{posttrans_script -- %{fastdebug_suffix_unquoted}}
 %posttrans headless-fastdebug
 %{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
 %post devel-fastdebug
 %{post_devel -- %{fastdebug_suffix_unquoted}}
@ -2464,99 +2618,148 @@ end
 %endif
 %changelog
-* Sat Apr 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-2
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-6
- Add JDK-8284920 fix for XPath regression
+- Detect NSS at runtime for FIPS detection
- Related: rhbz#2073422
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
 - Resolves: rhbz#2052827
-* Fri Apr 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-2
+* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-5
 - Remove security items from release notes that were only in 17u and N/A for 11u
 - Related: rhbz#2073422
 * Wed Apr 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-1
 - Update to jdk-11.0.15.0+9
 - Update release notes to 11.0.15.0+9
 - Switch to GA mode for release
 - ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
 - Resolves: rhbz#2073422
 * Tue Apr 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.8-0.1.ea
 - Update to jdk-11.0.15.0+8
 - Update release notes to 11.0.15.0+8
 - Switch to EA mode for 11.0.15 pre-release builds.
 - Rebase RH1996182 FIPS patch after JDK-8254410
 - Related: rhbz#2073422
 * Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-2
 - Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2055344
+- Resolves: rhbz#2053284
-* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-1
+* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-4
 - Storing and restoring alterntives during update manually
 - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
 -- The move of alternatives creation to posttrans to fix:
 -- Bug 1200302 - dnf reinstall breaks alternatives
 -- Had caused the alternatives to be removed, and then created again,
 -- instead of being added, and then removing the old, and thus persisting
 -- the selection in family
 -- Thus this fix, is storing the family of manually selected master, and if
 -- stored, then it is restoring the family of the master
 - Resolves: rhbz#2008192
 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-3
 - Family extracted to globals
 - Resolves: rhbz#2008192
 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-2
 - alternatives creation moved to posttrans
 - Thus fixing the old reisntall issue:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1200302
 - https://bugzilla.redhat.com/show_bug.cgi?id=1976053
 - Resolves: rhbz#2008192
 * Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-1
 - Update to jdk-11.0.14.1+1
 - Update release notes to 11.0.14.1+1
 - Require tzdata 2021e as of JDK-8275766.
 - Resolves: rhbz#2052809
 - Resolves: rhbz#1966234
-* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-2
+* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-6
 - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
 - Resolves: rhbz#2052816
 * Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-5
 - Refactor build functions so we can build just HotSpot without any attempt at installation.
 - Sync gdb test with java-1.8.0-openjdk.
 - Improve architecture restrictions for the gdb test.
 - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
 - Explicitly list JIT architectures rather than relying on those with slowdebug builds
 - Disable the serviceability agent on Zero architectures even when the architecture itself is supported
 - Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
 - Related: rhbz#2052809
 * Fri Feb 11 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.0.9-5
 - Give javadoc-zip its own Provides, next to the plain javadoc ones
 - Related: rhbz#2052809
 * Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-4
 - Fix FIPS issues in native code and with initialisation of java.security.Security
- Related: rhbz#2039366
+- Resolves: rhbz#2021559
-* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-1
+* Thu Feb 10 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.14.0.9-3
 - Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
  secmod.db file as part of nss
 - Resolves: rhbz#2023534
 * Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-2
 - Update to jdk-11.0.14.0+9
 - Update release notes to 11.0.14.0+9
 - Switch to GA mode for final release.
 - This tarball is embargoed until 2022-01-18 @ 1pm PT.
 - Resolves: rhbz#2039366
 * Fri Jan 14 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea
 - Update to jdk-11.0.14.0+8
 - Update release notes to 11.0.14.0+8
 - Resolves: rhbz#2022821
 * Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.1-0.1.ea
 - Update to jdk-11.0.14.0+1
 - Update release notes to 11.0.14.0+1
 - Switch to EA mode for 11.0.14 pre-release builds.
 - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
 - Rename blacklisted.certs to blocked.certs following JDK-8253866
 - Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034
- Related: rhbz#2039366
+- Related: rhbz#2022821
-* Wed Dec 01 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.0.8-0.1.ea
+* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-5
 - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
 - Related: rhbz#2022821
 * Wed Dec 01 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.13.0.8-4
 - Replaced hardcoded 11 by featurever where appropriate
 - Fixed comment of `for slowdebug` to correct `any debug`
- Related: rhbz#2039366
+- Related: rhbz#2022821
-* Sun Nov 07 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-4
+* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Update to jdk-11.0.13.0+8
- Resolves: rhbz#2014212
+- Update release notes to 11.0.13.0+8
 * Sun Nov 07 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.13.0.8-4
 - Add patch to allow plain key import.
 - Resolves: rhbz#2014212
 * Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3
 - Bump and rebuild to try and get a build correctly tagged.
 - Related: rhbz#2012334
 * Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-2
 - Update to jdk-11.0.12.0+8
 - Update release notes to 11.0.12.0+8
 - Switch to GA mode for final release.
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
+- Resolves: rhbz#2012335
 - Resolves: rhbz#2012334
 * Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.7-0.1.ea
 - Update to jdk-11.0.13.0+7
 - Update release notes to 11.0.13.0+7
 - Resolves: rhbz#1999938
 * Mon Oct 11 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.1-0.1.ea
 - Update to jdk-11.0.13.0+1
 - Update release notes to 11.0.13.0+1
 - Update tarball generation script to use git following OpenJDK 11u's move to github
 - Switch to EA mode for 11.0.13 pre-release builds.
- Remove non-Free test from source tarball.
+- Remove "-clean" suffix as no 11.0.13 builds are unclean.
 - Drop JDK-8269668 patch which is now applied upstream.
- Related: rhbz#2011826
+- Related: rhbz#1999938
-* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-5
+* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-9
 - The bootstrap JDK is now in bootinstalldir, not bootbuilddir.
 - Related: rhbz#1999938
 * Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-9
 - Reduce disk footprint by removing build artifacts by default.
 - Related: rhbz#1999938
 * Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-8
 - Restructure the build so a minimal initial build is then used for the final build (with docs)
 - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Reduce disk footprint by removing build artifacts by default.
+- Related: rhbz#1999938
 - Related: rhbz#2011826
-* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-5
+* Tue Oct 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-7
 - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
 - Resolves: rhbz#1991003
 * Tue Oct 05 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.12.0.7-7
 - Add patch to allow plain key import.
 - Resolves: rhbz#1991003
 * Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-6
 - Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2011826
+- Related: rhbz#1999938
 * Mon Sep 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-5
 - Remove non-Free test from source tarball.
 - Related: rhbz#1999938
 * Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
`@ -1,2 +1,2 @@`
	`SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz`	`SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz`
	`SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`	`SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`
`@ -1,2 +1,2 @@`
	`9d43605109c7a4c5cad6cef74e19efe42fb163f8 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz`	`dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz`
	`c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`	`c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`