10 changed files with 1537 additions and 454 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
+SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/.java-17-openjdk.metadata
+++ b/.java-17-openjdk.metadata
@ -1,2 +1,2 @@
-f57ddb82318be77e9304b68bdf671043fa83662a SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
+95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@ -3,6 +3,653 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

+New in release OpenJDK 17.0.6 (2023-01-17):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk1706
+  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
+
+* Other changes
+  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
+  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+  - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
+  - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
+  - JDK-8029633: Raw inner class constructor ref should not perform diamond inference
+  - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails
+  - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
+  - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
+  - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
+  - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java
+  - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout
+  - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails
+  - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
+  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
+  - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs
+  - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos
+  - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos
+  - JDK-8244670: convert clhsdb "whatis" command from javascript to java
+  - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives.
+  - JDK-8255439: System Tray icons get corrupted when Windows scaling changes
+  - JDK-8256811: Delayed/missed jdwp class unloading events
+  - JDK-8257722: Improve "keytool -printcert -jarfile" output
+  - JDK-8262721: Add Tests to verify single iteration loops are properly optimized
+  - JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation
+  - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
+  - JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al
+  - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java
+  - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow"
+  - JDK-8268276: Base64 Decoding optimization for x86 using AVX-512
+  - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
+  - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
+  - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs
+  - JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512
+  - JDK-8269571: NMT should print total malloc bytes and invocation count
+  - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m)
+  - JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter
+  - JDK-8270155: ARM32: Improve register dump in hs_err
+  - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
+  - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns.
+  - JDK-8270947: AArch64: C1: use zero_words to initialize all objects
+  - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts
+  - JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah
+  - JDK-8271956: AArch64: C1 build failed after JDK-8270947
+  - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
+  - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64
+  - JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag
+  - JDK-8272776: NullPointerException not reported
+  - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947
+  - JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains
+  - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
+  - JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
+  - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints
+  - JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long
+  - JDK-8273459: Update code segment alignment to 64 bytes
+  - JDK-8273497: building.md should link to both md and html
+  - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
+  - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12
+  - JDK-8273685: Remove jtreg tag manual=yesno for  java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction
+  - JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled
+  - JDK-8273881: Metaspace: test repeated deallocations
+  - JDK-8274029: Remove jtreg tag manual=yesno for  java/awt/print/Dialog/DialogOrient.java
+  - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI
+  - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high
+  - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS
+  - JDK-8274456: Remove jtreg tag manual=yesno  java/awt/print/PrinterJob/PageDialogTest.java
+  - JDK-8274527: Minimal VM build fails after JDK-8273459
+  - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
+  - JDK-8274903: Zero: Support AsyncGetCallTrace
+  - JDK-8275170: Some jtreg sound tests should be marked with sound keyword
+  - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
+  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+  - JDK-8275569: Add linux-aarch64 to test-make profiles
+  - JDK-8276108: Wrong instruction generation in aarch64 backend
+  - JDK-8276904: Optional.toString() is unnecessarily expensive
+  - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM"
+  - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64
+  - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
+  - JDK-8277358: Accelerate CRC32-C
+  - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
+  - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64
+  - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
+  - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64
+  - JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size
+  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
+  - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
+  - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch"
+  - JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing)
+  - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore
+  - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
+  - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out
+  - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC
+  - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails
+  - JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines
+  - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes
+  - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947
+  - JDK-8280391: NMT: Correct NMT tag on CollectedHeap
+  - JDK-8280511: AArch64: Combine shift and negate to a single instruction
+  - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered
+  - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object
+  - JDK-8280872: Reorder code cache segments to improve code density
+  - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
+  - JDK-8280948: Write a regression test for JDK-4659800
+  - JDK-8281296: Create a regression test for JDK-4515999
+  - JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points
+  - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores
+  - JDK-8282276: Problem list failing two Robot Screen Capture tests
+  - JDK-8282347: AARCH64: Untaken branch in has_negatives stub
+  - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
+  - JDK-8282402: Create a regression test for JDK-4666101
+  - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
+  - JDK-8282528: AArch64: Incorrect replicate2L_zero rule
+  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
+  - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1
+  - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure
+  - JDK-8282777: Create a Regression test for JDK-4515031
+  - JDK-8282857: Create a regression test for JDK-4702690
+  - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
+  - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup
+  - JDK-8283298: Make CodeCacheSegmentSize a product flag
+  - JDK-8283337: Posix signal handler modification warning triggering incorrectly
+  - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32
+  - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
+  - JDK-8283999: Update JMH devkit to 1.35
+  - JDK-8284533: Improve InterpreterCodelet data footprint
+  - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction"
+  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
+  - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X
+  - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation
+  - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
+  - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently
+  - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp  -XX:+DeoptimizeALot
+  - JDK-8285093: Introduce UTIL_ARG_WITH
+  - JDK-8285305: Create an automated test for JDK-4495286
+  - JDK-8285373: Create an automated test for JDK-4702233
+  - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)"
+  - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
+  - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java
+  - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox
+  - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment
+  - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
+  - JDK-8286172: Create an automated test for JDK-4516019
+  - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3"
+  - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable
+  - JDK-8286452: The array length of testSmallConstArray should be small and const
+  - JDK-8286460: Remove dependence on JAR filename in CDS tests
+  - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2
+  - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
+  - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray
+  - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows
+  - JDK-8286872: Refactor add/modify notification icon (TrayIcon)
+  - JDK-8287011: Improve container information
+  - JDK-8287076: Document.normalizeDocument() produces different results
+  - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance
+  - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
+  - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative
+  - JDK-8287740: NSAccessibilityShowMenuAction not working for text editors
+  - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile
+  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests
+  - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces
+  - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable
+  - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
+  - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name
+  - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support
+  - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output
+  - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented
+  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
+  - JDK-8289524: Add JFR JIT restart event
+  - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException
+  - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https
+  - JDK-8290207: Missing notice in dom.md
+  - JDK-8290209: jcup.md missing additional text
+  - JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier()
+  - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1
+  - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure
+  - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
+  - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS
+  - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
+  - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize
+  - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses
+  - JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false"
+  - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM
+  - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false
+  - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
+  - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
+  - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
+  - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath
+  - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region
+  - JDK-8292083: Detected container memory limit may exceed physical machine memory
+  - JDK-8292158: AES-CTR cipher state corruption with AVX-512
+  - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out
+  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
+  - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle
+  - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update
+  - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
+  - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
+  - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h
+  - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures
+  - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading
+  - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java
+  - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
+  - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform
+  - JDK-8292903: enhance round_up_power_of_2 assertion output
+  - JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking
+  - JDK-8293044: C1: Missing access check on non-accessible class
+  - JDK-8293232: Fix race condition in pkcs11 SessionManager
+  - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
+  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
+  - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint
+  - JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx
+  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
+  - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries
+  - JDK-8293578: Duplicate ldc generated by javac
+  - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
+  - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details
+  - JDK-8293672: Update freetype md file
+  - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
+  - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception
+  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
+  - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent
+  - JDK-8293826: Closed test fails after JDK-8276108 on aarch64
+  - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
+  - JDK-8293834: Update CLDR data following tzdata 2022c update
+  - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
+  - JDK-8293965: Code signing warnings after JDK-8293550
+  - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
+  - JDK-8294307: ISO 4217 Amendment 173 Update
+  - JDK-8294310: compare.sh fails on macos after JDK-8293550
+  - JDK-8294357: (tz) Update Timezone Data to 2022d
+  - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode
+  - JDK-8294740: Add cgroups keyword to TestDockerBasic.java
+  - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md
+  - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator
+  - JDK-8295173: (tz) Update Timezone Data to 2022e
+  - JDK-8295288: Some vm_flags tests associate with a wrong BugID
+  - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests
+  - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp
+  - JDK-8295419: JFR: Change name of jdk.JitRestart
+  - JDK-8295429: Update harfbuzz md file
+  - JDK-8295469: S390X: Optimized builds are broken
+  - JDK-8295554: Move the "sizecalc.h" to the correct location
+  - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
+  - JDK-8295714: GHA ::set-output is deprecated and will be removed
+  - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
+  - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
+  - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
+  - JDK-8296108: (tz) Update Timezone Data to 2022f
+  - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
+  - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
+  - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
+  - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
+  - JDK-8296715: CLDR v42 update for tzdata 2022f
+  - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
+  - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds
+  - JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value
+  - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
+  - JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes
+  - JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
+  - JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
+  - JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
+  - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used
+  - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again
+  - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
+  - JDK-8297309: Memory leak in ShenandoahFullGC
+  - JDK-8297481: Create a regression test for JDK-4424517
+  - JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation
+  - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
+  - JDK-8297656: AArch64: Enable AES/GCM Intrinsics
+  - JDK-8297804: (tz) Update Timezone Data to 2022g
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
+==========================================================================================================
+Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to
+hold principals and credentials so that it rejected null
+values. Attempts to call add(null), contains(null) or remove(null)
+were changed to throw a NullPointerException.
+
+However, the logout() methods in the LoginModule implementations
+within the JDK were not updated to check for null values, which may
+occur in the event of a failed login. As a result, a logout() call may
+throw a NullPointerException.
+
+The LoginModule implementations have now been updated with such checks
+and an implementation note added to the specification to suggest that
+the same change is made in third party modules.  Developers of third
+party modules are advised to verify that their logout() method does not
+throw a NullPointerException.
+
+New in release OpenJDK 17.0.5 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk1705
+  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
+
+* Security fixes
+  - JDK-8282252: Improve BigInteger/Decimal validation
+  - JDK-8285662: Better permission resolution
+  - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
+  - JDK-8286511: Improve macro allocation
+  - JDK-8286519: Better memory handling
+  - JDK-8286526, CVE-2022-21619: Improve NTLM support
+  - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+  - JDK-8286918, CVE-2022-21628: Better HttpServer service
+  - JDK-8287446: Enhance icon presentations
+  - JDK-8288508: Enhance ECDSA usage
+  - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
+  - JDK-8289853: Update HarfBuzz to 4.4.1
+  - JDK-8290334: Update FreeType to 2.12.1
+* Other changes
+  - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
+  - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
+  - JDK-7131823: bug in GIFImageReader
+  - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
+  - JDK-8028265: Add legacy tz tests to OpenJDK
+  - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
+  - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
+  - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
+  - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
+  - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
+  - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
+  - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
+  - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
+  - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
+  - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
+  - JDK-8227651: Tests fail with SSLProtocolException: Input record too big
+  - JDK-8240903: Add test to check that jmod hashes are reproducible
+  - JDK-8254318: Remove .hgtags
+  - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
+  - JDK-8256844: Make NMT late-initializable
+  - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom"
+  - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class
+  - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
+  - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled"
+  - JDK-8269039: Disable SHA-1 Signed JARs
+  - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr
+  - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
+  - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
+  - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
+  - JDK-8271344: Windows product version issue
+  - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
+  - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData
+  - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
+  - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
+  - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
+  - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts
+  - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
+  - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms
+  - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
+  - JDK-8274597: Some of the dnd tests time out and fail intermittently
+  - JDK-8274856: Failing jpackage tests with fastdebug/release build
+  - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
+  - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
+  - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
+  - JDK-8276837: [macos]: Error when signing the additional launcher
+  - JDK-8277429: Conflicting jpackage static library name
+  - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged"
+  - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
+  - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
+  - JDK-8278311: Debian packaging doesn't work
+  - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
+  - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
+  - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
+  - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
+  - JDK-8279622: C2: miscompilation of map pattern as a vector reduction
+  - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
+  - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
+  - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
+  - JDK-8280863: Update build README to reflect that MSYS2 is supported
+  - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
+  - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism
+  - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
+  - JDK-8281181: Do not use CPU Shares to compute active processor count
+  - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
+  - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted)
+  - JDK-8281535: Create a regression test for JDK-4670051
+  - JDK-8281569: Create tests for Frame.setMinimumSize() method
+  - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
+  - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
+  - JDK-8281745: Create a regression test for JDK-4514331
+  - JDK-8281988: Create a regression test for JDK-4618767
+  - JDK-8282007: Assorted enhancements to jpackage testing framework
+  - JDK-8282046: Create a regression test for JDK-8000326
+  - JDK-8282214: Upgrade JQuery to version 3.6.0
+  - JDK-8282234: Create a regression test for JDK-4532513
+  - JDK-8282280: Update Xerces to Version 2.12.2
+  - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access
+  - JDK-8282343: Create a regression test for JDK-4518432
+  - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows
+  - JDK-8282407: Missing ')' in MacResources.properties
+  - JDK-8282467: add extra diagnostics for JDK-8268184
+  - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler
+  - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+  - JDK-8282548: Create a regression test for JDK-4330998
+  - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
+  - JDK-8282640: Create a test for JDK-4740761
+  - JDK-8282778: Create a regression test for JDK-4699544
+  - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
+  - JDK-8282860: Write a regression test for JDK-4164779
+  - JDK-8282933: Create a test for JDK-4529616
+  - JDK-8282936: Write a regression test for JDK-4615365
+  - JDK-8282937: Write a regression test for JDK-4820080
+  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
+  - JDK-8283015: Create a test for JDK-4715496
+  - JDK-8283087: Create a test or JDK-4715503
+  - JDK-8283245: Create a test for JDK-4670319
+  - JDK-8283277: ISO 4217 Amendment 171 Update
+  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
+  - JDK-8283457: [macos] libpng build failures with Xcode13.3
+  - JDK-8283493: Create an automated regression test for RFE 4231298
+  - JDK-8283507: Create a regression test for RFE 4287690
+  - JDK-8283562: JDK-8282306 breaks gtests on zero
+  - JDK-8283597: [REDO] Invalid generic signature for redefined classes
+  - JDK-8283621: Write a regression test for CCC4400728
+  - JDK-8283623: Create an automated regression test for JDK-4525475
+  - JDK-8283624: Create an automated regression test for RFE-4390885
+  - JDK-8283712: Create a manual test framework class
+  - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
+  - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
+  - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+  - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
+  - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
+  - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
+  - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
+  - JDK-8284077: Create an automated test for JDK-4170173
+  - JDK-8284294: Create an automated regression test for RFE 4138746
+  - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
+  - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
+  - JDK-8284521: Write an automated regression test for RFE 4371575
+  - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
+  - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
+  - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
+  - JDK-8284686: Interval of < 1 ms disables ExecutionSample events
+  - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
+  - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
+  - JDK-8284898: Enhance PassFailJFrame
+  - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
+  - JDK-8284950: CgroupV1 detection code should consider memory.swappiness
+  - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
+  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
+  - JDK-8285081: Improve XPath operators count accuracy
+  - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
+  - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
+  - JDK-8285380: Fix typos in security
+  - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test
+  - JDK-8285693: Create an automated test for JDK-4702199
+  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8285730: unify _WIN32_WINNT settings
+  - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
+  - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
+  - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
+  - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe
+  - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
+  - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
+  - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes
+  - JDK-8286277: CDS VerifyError when calling clone() on object array
+  - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
+  - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45]
+  - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage
+  - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
+  - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
+  - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis
+  - JDK-8286869: unify os::dir_is_empty across posix platforms
+  - JDK-8286870: Memory leak with RepeatCompilation
+  - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
+  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+  - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
+  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+  - JDK-8287113: JFR: Periodic task thread uses period for method sampling events
+  - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host
+  - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
+  - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
+  - JDK-8287366: Improve test failure reporting in GHA
+  - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
+  - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
+  - JDK-8287463: JFR: Disable TestDevNull.java on Windows
+  - JDK-8287663: Add a regression test for JDK-8287073
+  - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
+  - JDK-8287724: Fix various issues with msys2
+  - JDK-8287735: Provide separate event category for dll operations
+  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+  - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag
+  - JDK-8287895: Some langtools tests fail on msys2
+  - JDK-8287896: PropertiesTest.sh fail on msys2
+  - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
+  - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
+  - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
+  - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs
+  - JDK-8288003: log events for os::dll_unload
+  - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
+  - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
+  - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds
+  - JDK-8288467: remove memory_operand assert for spilled instructions
+  - JDK-8288499: Restore cancel-in-progress in GHA
+  - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
+  - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
+  - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
+  - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305
+  - JDK-8288992: AArch64: CMN should be handled the same way as CMP
+  - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
+  - JDK-8289147: unify os::infinite_sleep on posix platforms
+  - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
+  - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
+  - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
+  - JDK-8289486: Improve XSLT XPath operators count efficiency
+  - JDK-8289549: ISO 4217 Amendment 172 Update
+  - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
+  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
+  - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
+  - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
+  - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
+  - JDK-8289910: unify os::message_box across posix platforms
+  - JDK-8290000: Bump macOS GitHub actions to macOS 11
+  - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
+  - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
+  - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
+  - JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
+  - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
+  - JDK-8290456: remove os::print_statistics()
+  - JDK-8291595: [17u] Delete files missed in backport of 8269039
+  - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
+  - JDK-8292579: (tz) Update Timezone Data to 2022c
+  - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
+===========================================================================
+Two system properties have been added which control the keep alive
+behavior of HttpURLConnection in the case where the server does not
+specify a keep alive time. Two properties are defined for controlling
+connections to servers and proxies separately. They are:
+
+* `http.keepAlive.time.server`
+* `http.keepAlive.time.proxy`
+
+respectively. More information about them can be found on the
+Networking Properties page:
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
+
+security-libs/javax.crypto:
+
+JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location
+=====================================================================================
+The Windows KeyStore support in the SunMSCAPI provider has been
+expanded to include access to the local machine location. The new
+keystore types are:
+
+* "Windows-MY-LOCALMACHINE"
+* "Windows-ROOT-LOCALMACHINE"
+
+The following keystore types were also added, allowing developers to
+make it clear they map to the current user:
+
+* "Windows-MY-CURRENTUSER" (same as "Windows-MY")
+* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")
+
+JDK-8286918: Better HttpServer service
+======================================
+The HttpServer can be optionally configured with a maximum connection
+limit by setting the jdk.httpserver.maxConnections system property. A
+value of 0 or a negative integer is ignored and considered to
+represent no connection limit. In the case of a positive integer
+value, any newly accepted connections will be first checked against
+the current count of established connections and, if the configured
+limit has been reached, then the newly accepted connection will be
+closed immediately.
+
+hotspot/runtime:
+
+JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
+=====================================================================
+Previous JDK releases used an incorrect interpretation of the Linux
+cgroups parameter "cpu.shares". This might cause the JVM to use fewer
+CPUs than available, leading to an under utilization of CPU resources
+when the JVM is used inside a container.
+
+Starting from this JDK release, by default, the JVM no longer
+considers "cpu.shares" when deciding the number of threads to be used
+by the various thread pools. The `-XX:+UseContainerCpuShares`
+command-line option can be used to revert to the previous
+behavior. This option is deprecated and may be removed in a future JDK
+release.
+
+security-libs/java.security:
+
+JDK-8269039: Disabled SHA-1 Signed JARs
+=======================================
+JARs signed with SHA-1 algorithms are now restricted by default and
+treated as if they were unsigned. This applies to the algorithms used
+to digest, sign, and optionally timestamp the JAR. It also applies to
+the signature and digest algorithms of the certificates in the
+certificate chain of the code signer and the Timestamp Authority, and
+any CRLs or OCSP responses that are used to verify if those
+certificates have been revoked. These restrictions also apply to
+signed JCE providers.
+
+To reduce the compatibility risk for JARs that have been previously
+timestamped, there is one exception to this policy:
+
+- Any JAR signed with SHA-1 algorithms and timestamped prior to
+  January 01, 2019 will not be restricted.
+
+This exception may be removed in a future JDK release. To determine if
+your signed JARs are affected by this change, run:
+
+$ jarsigner -verify -verbose -certs`
+
+on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
+"disabled" and a warning that the JAR will be treated as unsigned in
+the output.
+
+For example:
+
+   Signed by "CN="Signer""
+   Digest algorithm: SHA-1 (disabled)
+   Signature algorithm: SHA1withRSA (disabled), 2048-bit key
+
+   WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
+
+   jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
+
+JARs affected by these new restrictions should be replaced or
+re-signed with stronger algorithms.
+
+Users can, *at their own risk*, remove these restrictions by modifying
+the `java.security` configuration file (or override it by using the
+`java.security.properties` system property) and removing "SHA1 usage
+SignedJAR & denyAfter 2019-01-01" from the
+`jdk.certpath.disabledAlgorithms` security property and "SHA1
+denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
+property.
+
 New in release OpenJDK 17.0.4.1 (2022-08-16):
 ===========================================
 Live versions of these release notes can be found at:
@ -32,6 +679,7 @@ Live versions of these release notes can be found at:
 * Security fixes
  - JDK-8272243: Improve DER parsing
  - JDK-8272249: Better properties of loaded Properties
+  - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
  - JDK-8277608: Address IP Addressing
  - JDK-8281859, CVE-2022-21540: Improve class compilation
  - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
@ -86,7 +734,6 @@ Live versions of these release notes can be found at:
  - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
  - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
  - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
-  - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
  - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
  - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
  - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
--- a/SOURCES/TestTranslations.java
+++ b/SOURCES/TestTranslations.java
@ -15,20 +15,145 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-import java.util.Arrays;
-import java.util.Locale;
-import java.util.ResourceBundle;
+import java.text.DateFormatSymbols;

-import sun.util.resources.LocaleData;
-import sun.util.locale.provider.LocaleProviderAdapter;
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;

 public class TestTranslations {
+
+    private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
+
+    static {
+        Map<Locale,String[]> map = new HashMap<Locale,String[]>();
+        map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
+                                          "Eastern European Summer Time", "GMT+03:00", "EEST",
+                                          "Eastern European Time", "GMT+02:00", "EET"});
+        map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
+                                              "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
+                                              "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
+        map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
+                                               "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+                                               "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+        KYIV = Collections.unmodifiableMap(map);
+
+        map = new HashMap<Locale,String[]>();
+        map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
+                                          "Mountain Daylight Time", "MDT", "MDT",
+                                          "Mountain Time", "MT", "MT"});
+        map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
+                                              "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
+                                              "heure des Rocheuses", "UTC\u221207:00", "MT"});
+        map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
+                                               "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
+                                               "Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
+        CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
+    }
+
+
    public static void main(String[] args) {
-        for (String zone : args) {
-            System.out.printf("Translations for %s\n", zone);
-            for (Locale l : Locale.getAvailableLocales()) {
-                ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l);
-                System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
+        if (args.length < 1) {
+            System.err.println("Test must be started with the name of the locale provider.");
+            System.exit(1);
+        }
+
+        System.out.println("Checking sanity of full zone string set...");
+        boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+            .peek(l -> System.out.println("Locale: " + l))
+            .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+            .flatMap(zs -> Arrays.stream(zs))
+            .flatMap(names -> Arrays.stream(names))
+            .filter(name -> Objects.isNull(name) || name.isEmpty())
+            .findAny()
+            .isPresent();
+        if (invalid) {
+            System.err.println("Zone string for a locale returned null or empty string");
+            System.exit(2);
+        }
+
+        String localeProvider = args[0];
+        testZone(localeProvider, KYIV,
+                 new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
+        testZone(localeProvider, CIUDAD_JUAREZ,
+                 new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
+    }
+
+    private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
+        for (Locale l : exp.keySet()) {
+            String[] expected = exp.get(l);
+            System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
+            for (String id : ids) {
+                String expectedShortStd = null;
+                String expectedShortDST = null;
+                String expectedShortGen = null;
+
+                System.out.printf("Checking locale %s for %s...\n", l, id);
+
+                if ("JRE".equals(localeProvider)) {
+                    expectedShortStd = expected[2];
+                    expectedShortDST = expected[5];
+                    expectedShortGen = expected[8];
+                } else if ("CLDR".equals(localeProvider)) {
+                    expectedShortStd = expected[1];
+                    expectedShortDST = expected[4];
+                    expectedShortGen = expected[7];
+                } else {
+                    System.err.printf("Invalid locale provider %s\n", localeProvider);
+                    System.exit(3);
+                }
+                System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+                                  localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+                String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+                String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+                String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+                String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+                String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+                String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+                if (!expected[0].equals(longStd)) {
+                    System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, longStd, expected[0]);
+                    System.exit(4);
+                }
+
+                if (!expectedShortStd.equals(shortStd)) {
+                    System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortStd, expectedShortStd);
+                    System.exit(5);
+                }
+
+                if (!expected[3].equals(longDST)) {
+                    System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, longDST, expected[3]);
+                    System.exit(6);
+                }
+
+                if (!expectedShortDST.equals(shortDST)) {
+                    System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortDST, expectedShortDST);
+                    System.exit(7);
+                }
+
+                if (!expected[6].equals(longGen)) {
+                    System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+                                      id, l, longGen, expected[6]);
+                    System.exit(8);
+                }
+
+                if (!expectedShortGen.equals(shortGen)) {
+                    System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortGen, expectedShortGen);
+                    System.exit(9);
+                }
            }
        }
    }
--- a/SOURCES/fips-17u-72d08e3226f.patch
+++ b/SOURCES/fips-17u-72d08e3226f.patch
@ -1,9 +1,33 @@
+diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
+index 5f4b22bb27f..1ca9f5b8ffe 100644
+--- a/make/autoconf/build-aux/pkg.m4
+++ b/make/autoconf/build-aux/pkg.m4
+@@ -179,3 +179,19 @@ else
+ 	ifelse([$3], , :, [$3])
+ fi[]dnl
+ ])# PKG_CHECK_MODULES
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
 diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
 new file mode 100644
-index 00000000000..b2b1c1787da
+index 00000000000..f48fc7f7e80
 --- /dev/null
 +++ b/make/autoconf/lib-sysconf.m4
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,87 @@
 +#
 +# Copyright (c) 2021, Red Hat, Inc.
 +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da
 +  #
 +  # Check for the NSS library
 +  #
+  AC_MSG_CHECKING([for NSS library directory])
+  PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
 +
-+  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+  AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
 +
 +  # default is not available
 +  DEFAULT_SYSCONF_NSS=no
@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da
 +      fi
 +  fi
 +  AC_SUBST(USE_SYSCONF_NSS)
+  AC_SUBST(NSS_LIBDIR)
 +])
 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
 index a65d91ee974..a8f054c1397 100644
@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644
   BASIC_JDKLIB_LIBS=""
   if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
 diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
-index c2c9c4adf3a..9d105b37acf 100644
+index d557549adb3..1cb44bd2595 100644
 --- a/make/autoconf/spec.gmk.in
 +++ b/make/autoconf/spec.gmk.in
-@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
 # Libraries
 #
 
 +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
 +NSS_LIBS:=@NSS_LIBS@
 +NSS_CFLAGS:=@NSS_CFLAGS@
+NSS_LIBDIR:=@NSS_LIBDIR@
 +
 USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
 LCMS_CFLAGS:=@LCMS_CFLAGS@
 LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
+index 4b894eeae4a..51567071aa8 100644
+--- a/make/modules/java.base/Gendata.gmk
+++ b/make/modules/java.base/Gendata.gmk
+@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
+ TARGETS += $(GENDATA_JAVA_SECURITY)
+ 
+ ################################################################################
+
+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
+
+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
+	$(call LogInfo, Generating nss.fips.cfg)
+	$(call MakeTargetDir)
+	$(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
+	    ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
+	)
+
+TARGETS += $(GENDATA_NSS_FIPS_CFG)
+
+################################################################################
 diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
 index 5658ff342e5..c8bc5bde1e1 100644
 --- a/make/modules/java.base/Lib.gmk
@ -1771,7 +1821,7 @@ index f6d3638c3dd..a1ee182d913 100644
 +    }
 }
 diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index 63bb580eb3a..dbbf11bbb22 100644
+index 9faee9cae36..27f43550aa4 100644
 --- a/src/java.base/share/classes/module-info.java
 +++ b/src/java.base/share/classes/module-info.java
@@ -152,6 +152,8 @@ module java.base {
@ -2193,18 +2243,6 @@ index ca79f25cc44..225517ac69b 100644
         addA(p, "AlgorithmParameters", "RSASSA-PSS",
                 "sun.security.rsa.PSSParameters", null);
     }
-diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-index 6ffdfeda18d..82e896170f0 100644
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -32,6 +32,7 @@ import java.security.cert.*;
- import java.util.*;
- import java.util.concurrent.locks.ReentrantLock;
- import javax.net.ssl.*;
-+import jdk.internal.access.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
 diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
 new file mode 100644
 index 00000000000..dc8bc72fccb
@ -2509,7 +2547,7 @@ index 00000000000..dc8bc72fccb
 +    }
 +}
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 6d91e3f8e4e..f357b630460 100644
+index 63be286686d..b0a589c3fb4 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
@ -2529,7 +2567,7 @@ index 6d91e3f8e4e..f357b630460 100644
 #
 # A list of preferred providers for specific algorithms. These providers will
 # be searched for matching algorithms before the list of registered providers.
-@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false
+@@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
 #
 keystore.type=pkcs12
 
@ -2537,11 +2575,47 @@ index 6d91e3f8e4e..f357b630460 100644
 +# Default keystore type used when global crypto-policies are set to FIPS.
 +#
 +fips.keystore.type=pkcs12
+
+#
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# The syntax for this property is identical to the 'nssSecmodDirectory'
+# attribute available in the SunPKCS11 NSS configuration file. Use the
+# 'sql:' prefix to refer to an SQLite DB.
+#
+# If the system property fips.nssdb.path is also specified, it supersedes
+# the security property value defined here.
+#
+# Note: the default value for this property points to an NSS DB that might be
+# readable by multiple operating system users and unsuitable to store keys.
+#
+fips.nssdb.path=sql:/etc/pki/nssdb
+
+#
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# Values must take any of the following forms:
+#   1) pin:<value>
+#        Value: clear text PIN value.
+#   2) env:<value>
+#        Value: environment variable containing the PIN value.
+#   3) file:<value>
+#        Value: path to a file containing the PIN value in its first
+#        line.
+#
+# If the system property fips.nssdb.pin is also specified, it supersedes
+# the security property value defined here.
+#
+# When used as a system property, UTF-8 encoded values are valid. When
+# used as a security property (such as in this file), encode non-Basic
+# Latin Unicode characters with \uXXXX.
+#
+fips.nssdb.pin=pin:
 +
 #
 # Controls compatibility mode for JKS and PKCS12 keystore types.
 #
-@@ -326,6 +341,13 @@ package.definition=sun.misc.,\
+@@ -326,6 +377,13 @@ package.definition=sun.misc.,\
 #
 security.overridePropertiesFile=true
 
@ -2555,6 +2629,20 @@ index 6d91e3f8e4e..f357b630460 100644
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
+diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
+new file mode 100644
+index 00000000000..55bbba98b7a
+--- /dev/null
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
+@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = ${fips.nssdb.path}
+nssDbMode = readWrite
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
 diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
 index b22f26947af..3ee2ce6ea88 100644
 --- a/src/java.base/share/lib/security/default.policy
@ -2819,10 +2907,10 @@ index 00000000000..ddf9befe5bc
 +#endif
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
 new file mode 100644
-index 00000000000..8cfa2734d4e
+index 00000000000..d3f0bffb821
 --- /dev/null
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,461 @@
+@@ -0,0 +1,457 @@
 +/*
 + * Copyright (c) 2021, Red Hat, Inc.
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -2897,9 +2985,6 @@ index 00000000000..8cfa2734d4e
 +    private static volatile Provider sunECProvider = null;
 +    private static final ReentrantLock sunECProviderLock = new ReentrantLock();
 +
-+    private static volatile KeyFactory DHKF = null;
-+    private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
 +    static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
 +            throws PKCS11Exception {
 +        long keyID = -1;
@ -3144,8 +3229,7 @@ index 00000000000..8cfa2734d4e
 +                    CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
 +                    CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
 +            RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
-+                    RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey
-+            );
+                    RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
 +            CK_ATTRIBUTE attr;
 +            if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
 +                attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
@ -3284,6 +3368,162 @@ index 00000000000..8cfa2734d4e
 +        }
 +    }
 +}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+new file mode 100644
+index 00000000000..f8d505ca815
+--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2022, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.security.ProviderException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import sun.security.util.Debug;
+import sun.security.util.SecurityProperties;
+
+final class FIPSTokenLoginHandler implements CallbackHandler {
+
+    private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
+
+    private static final Debug debug = Debug.getInstance("sunpkcs11");
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        if (!(callbacks[0] instanceof PasswordCallback)) {
+            throw new UnsupportedCallbackException(callbacks[0]);
+        }
+        PasswordCallback pc = (PasswordCallback)callbacks[0];
+        pc.setPassword(getFipsNssdbPin());
+    }
+
+    private static char[] getFipsNssdbPin() throws ProviderException {
+        if (debug != null) {
+            debug.println("FIPS: Reading NSS DB PIN for token...");
+        }
+        String pinProp = SecurityProperties
+                .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
+        if (pinProp != null && !pinProp.isEmpty()) {
+            String[] pinPropParts = pinProp.split(":", 2);
+            if (pinPropParts.length < 2) {
+                throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
+                        " property value.");
+            }
+            String prefix = pinPropParts[0].toLowerCase();
+            String value = pinPropParts[1];
+            String pin = null;
+            if (prefix.equals("env")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the '" + value +
+                            "' environment variable.");
+                }
+                pin = System.getenv(value);
+            } else if (prefix.equals("file")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the '" + value +
+                            "' file.");
+                }
+                pin = getPinFromFile(Paths.get(value));
+            } else if (prefix.equals("pin")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the " +
+                            FIPS_NSSDB_PIN_PROP + " property.");
+                }
+                pin = value;
+            } else {
+                throw new ProviderException("Unsupported prefix for " +
+                        FIPS_NSSDB_PIN_PROP + ".");
+            }
+            if (pin != null && !pin.isEmpty()) {
+                if (debug != null) {
+                    debug.println("FIPS: non-empty PIN.");
+                }
+                /*
+                 * C_Login in libj2pkcs11 receives the PIN in a char[] and
+                 * discards the upper byte of each char, before passing
+                 * the value to the NSS Software Token. However, the
+                 * NSS Software Token accepts any UTF-8 PIN value. Thus,
+                 * expand the PIN here to account for later truncation.
+                 */
+                byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
+                char[] pinChar = new char[pinUtf8.length];
+                for (int i = 0; i < pinChar.length; i++) {
+                    pinChar[i] = (char)(pinUtf8[i] & 0xFF);
+                }
+                return pinChar;
+            }
+        }
+        if (debug != null) {
+            debug.println("FIPS: empty PIN.");
+        }
+        return null;
+    }
+
+    /*
+     * This method extracts the token PIN from the first line of a password
+     * file in the same way as NSS modutil. See for example the -newpwfile
+     * argument used to change the password for an NSS DB.
+     */
+    private static String getPinFromFile(Path f) throws ProviderException {
+        try (InputStream is =
+                Files.newInputStream(f, StandardOpenOption.READ)) {
+            /*
+             * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
+             * reads up to 4096 bytes. In addition, the NSS Software Token
+             * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
+             * in nss/lib/softoken/pkcs11i.h).
+             */
+            BufferedReader in =
+                    new BufferedReader(new InputStreamReader(
+                            new ByteArrayInputStream(is.readNBytes(4096)),
+                            StandardCharsets.UTF_8));
+            return in.readLine();
+        } catch (IOException ioe) {
+            throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
+                    " from the '" + f + "' file.", ioe);
+        }
+    }
+}
+\ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 index 9b69072280e..5696b904979 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@ -3597,7 +3837,7 @@ index 00000000000..ae4262703e6
 +
 +}
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
-index c98960f7fcc..c14319a5356 100644
+index 8d1b8ccb0ae..950ed20cf62 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
@@ -31,6 +31,7 @@ import java.security.*;
@ -3608,7 +3848,7 @@ index c98960f7fcc..c14319a5356 100644
 import javax.crypto.spec.*;
 
 import static sun.security.pkcs11.TemplateManager.*;
-@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
         return p11Key;
     }
 
@ -3737,7 +3977,7 @@ index c98960f7fcc..c14319a5356 100644
     static void fixDESParity(byte[] key, int offset) {
         for (int i = 0; i < 8; i++) {
             int b = key[offset] & 0xfe;
-@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
                 keySpec = new SecretKeySpec(keyBytes, "DESede");
                 return engineGenerateSecret(keySpec);
             }
@ -3747,7 +3987,7 @@ index c98960f7fcc..c14319a5356 100644
         }
         throw new InvalidKeySpecException
                 ("Unsupported spec: " + keySpec.getClass().getName());
-@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
     // see JCE spec
     protected SecretKey engineTranslateKey(SecretKey key)
             throws InvalidKeyException {
@ -3880,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
         Provider p = sun;
         if (p == null) {
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 112b639aa96..3e170b4c115 100644
+index aa35e8fa668..f4d7c9cc201 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -3893,7 +4133,7 @@ index 112b639aa96..3e170b4c115 100644
 import java.util.*;
 
 import java.security.*;
-@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback;
+@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
 
 import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
 
@ -3901,7 +4141,12 @@ index 112b639aa96..3e170b4c115 100644
 import jdk.internal.misc.InnocuousThread;
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
-@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+import sun.security.util.SecurityProperties;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+ 
+ import sun.security.pkcs11.Secmod.*;
+@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
  */
 public final class SunPKCS11 extends AuthProvider {
 
@ -3935,11 +4180,32 @@ index 112b639aa96..3e170b4c115 100644
 +        fipsImportKey = fipsImportKeyTmp;
 +        fipsExportKey = fipsExportKeyTmp;
 +    }
+
+    private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
 +
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
+             return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
+                 @Override
+                 public SunPKCS11 run() throws Exception {
+                    if (systemFipsEnabled) {
+                        /*
+                         * The nssSecmodDirectory attribute in the SunPKCS11
+                         * NSS configuration file takes the value of the
+                         * fips.nssdb.path System property after expansion.
+                         * Security properties expansion is unsupported.
+                         */
+                        System.setProperty(
+                                FIPS_NSSDB_PATH_PROP,
+                                SecurityProperties.privilegedGetOverridable(
+                                        FIPS_NSSDB_PATH_PROP));
+                    }
+                     return new SunPKCS11(new Config(newConfigName));
+                 }
+             });
+@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
             // request multithreaded access first
             initArgs.flags = CKF_OS_LOCKING_OK;
             PKCS11 tmpPKCS11;
@ -3960,7 +4226,7 @@ index 112b639aa96..3e170b4c115 100644
             } catch (PKCS11Exception e) {
                 if (debug != null) {
                     debug.println("Multi-threaded initialization failed: " + e);
-@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
                     initArgs.flags = 0;
                 }
                 tmpPKCS11 = PKCS11.getInstance(library,
@ -3975,32 +4241,7 @@ index 112b639aa96..3e170b4c115 100644
             if (p11Info.cryptokiVersion.major < 2) {
                 throw new ProviderException("Only PKCS#11 v2.0 and later "
                 + "supported, library version is v" + p11Info.cryptokiVersion);
-@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider {
-             if (nssModule != null) {
-                 nssModule.setProvider(this);
-             }
-+            if (systemFipsEnabled) {
-+                // The NSS Software Token in FIPS 140-2 mode requires a user
-+                // login for most operations. See sftk_fipsCheck. The NSS DB
-+                // (/etc/pki/nssdb) PIN is empty.
-+                Session session = null;
-+                try {
-+                    session = token.getOpSession();
-+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
-+                } catch (PKCS11Exception p11e) {
-+                    if (debug != null) {
-+                        debug.println("Error during token login: " +
-+                                p11e.getMessage());
-+                    }
-+                    throw p11e;
-+                } finally {
-+                    token.releaseSession(session);
-+                }
-+            }
-         } catch (Exception e) {
-             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
-                 throw new UnsupportedOperationException
-@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
         final String className;
         final List<String> aliases;
         final int[] mechanisms;
@ -4021,7 +4262,7 @@ index 112b639aa96..3e170b4c115 100644
         }
         private P11Service service(Token token, int mechanism) {
             return new P11Service
-@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
 
     private static void d(String type, String algorithm, String className,
             int[] m) {
@ -4054,7 +4295,7 @@ index 112b639aa96..3e170b4c115 100644
     }
 
     private static void register(Descriptor d) {
-@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
         String P11Cipher           = "sun.security.pkcs11.P11Cipher";
         String P11RSACipher        = "sun.security.pkcs11.P11RSACipher";
         String P11AEADCipher       = "sun.security.pkcs11.P11AEADCipher";
@ -4062,7 +4303,7 @@ index 112b639aa96..3e170b4c115 100644
         String P11Signature        = "sun.security.pkcs11.P11Signature";
         String P11PSSSignature     = "sun.security.pkcs11.P11PSSSignature";
 
-@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
         d(MAC, "SslMacSHA1",    P11Mac,
                 m(CKM_SSL3_SHA1_MAC));
 
@ -4093,7 +4334,7 @@ index 112b639aa96..3e170b4c115 100644
         d(KPG, "RSA",           P11KeyPairGenerator,
                 getAliases("PKCS1"),
                 m(CKM_RSA_PKCS_KEY_PAIR_GEN));
-@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
         d(SKF, "ChaCha20",      P11SecretKeyFactory,
                 m(CKM_CHACHA20_POLY1305));
 
@ -4160,7 +4401,7 @@ index 112b639aa96..3e170b4c115 100644
         // XXX attributes for Ciphers (supported modes, padding)
         dA(CIP, "ARCFOUR",                      P11Cipher,
                 m(CKM_RC4));
-@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
         d(CIP, "RSA/ECB/NoPadding",             P11RSACipher,
                 m(CKM_RSA_X_509));
 
@ -4207,7 +4448,7 @@ index 112b639aa96..3e170b4c115 100644
         d(SIG, "RawDSA",        P11Signature,
                 List.of("NONEwithDSA"),
                 m(CKM_DSA));
-@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
             if (ds == null) {
                 continue;
             }
@ -4229,7 +4470,35 @@ index 112b639aa96..3e170b4c115 100644
                     supportedAlgs.put(d, integerMech);
                     continue;
                 }
-@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
+             if (token.isValid() == false) {
+                 throw new NoSuchAlgorithmException("Token has been removed");
+             }
+            if (systemFipsEnabled && !token.fipsLoggedIn &&
+                    !getType().equals("KeyStore")) {
+                /*
+                 * The NSS Software Token in FIPS 140-2 mode requires a
+                 * user login for most operations. See sftk_fipsCheck
+                 * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
+                 * service, let the caller perform the login with
+                 * KeyStore::load. Keytool, for example, does this to pass a
+                 * PIN from either the -srcstorepass or -deststorepass
+                 * argument. In case of a non-KeyStore service, perform the
+                 * login now with the PIN available in the fips.nssdb.pin
+                 * property.
+                 */
+                try {
+                    token.ensureLoggedIn(null);
+                } catch (PKCS11Exception | LoginException e) {
+                    throw new ProviderException("FIPS: error during the Token" +
+                            " login required for the " + getType() +
+                            " service.", e);
+                }
+            }
+             try {
+                 return newInstance0(param);
+             } catch (PKCS11Exception e) {
+@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
                 } else if (algorithm.endsWith("GCM/NoPadding") ||
                            algorithm.startsWith("ChaCha20-Poly1305")) {
                     return new P11AEADCipher(token, algorithm, mechanism);
@ -4238,6 +4507,63 @@ index 112b639aa96..3e170b4c115 100644
                 } else {
                     return new P11Cipher(token, algorithm, mechanism);
                 }
+@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
+         try {
+             session = token.getOpSession();
+             p11.C_Logout(session.id());
+            if (systemFipsEnabled) {
+                token.fipsLoggedIn = false;
+            }
+             if (debug != null) {
+                 debug.println("logout succeeded");
+             }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+index 9858a5faedf..e63585486d9 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+@@ -33,6 +33,7 @@ import java.lang.ref.*;
+ import java.security.*;
+ import javax.security.auth.login.LoginException;
+ 
+import jdk.internal.access.SharedSecrets;
+ import sun.security.jca.JCAUtil;
+ 
+ import sun.security.pkcs11.wrapper.*;
+@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+  */
+ class Token implements Serializable {
+ 
+    private static final boolean systemFipsEnabled = SharedSecrets
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
+     // need to be serializable to allow SecureRandom to be serialized
+     private static final long serialVersionUID = 2541527649100571747L;
+ 
+@@ -114,6 +118,10 @@ class Token implements Serializable {
+     // flag indicating whether we are logged in
+     private volatile boolean loggedIn;
+ 
+    // Flag indicating the login status for the NSS Software Token in FIPS mode.
+    // This Token is never asynchronously removed. Used from SunPKCS11.
+    volatile boolean fipsLoggedIn;
+
+     // time we last checked login status
+     private long lastLoginCheck;
+ 
+@@ -232,7 +240,12 @@ class Token implements Serializable {
+     // call provider.login() if not
+     void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
+         if (isLoggedIn(session) == false) {
+-            provider.login(null, null);
+            if (systemFipsEnabled) {
+                provider.login(null, new FIPSTokenLoginHandler());
+                fipsLoggedIn = true;
+            } else {
+                provider.login(null, null);
+            }
+         }
+     }
+ 
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
 index 88ff8a71fc3..47a2f97eddf 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
@ -4877,7 +5203,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
 +}
 }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-index d22844cfba8..9e02958b4b0 100644
+index 0d65ee26805..38fd4aff1f3 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
@ -4939,7 +5265,7 @@ index d22844cfba8..9e02958b4b0 100644
 +                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
 }
 diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index 666c5eb9b3b..5523dafcdb4 100644
+index d941b574cc7..e2de13648be 100644
 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
 +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
--- a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
+++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
@ -1,26 +0,0 @@
-diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-                     ctx = getLdapCtxFromUrl(
-                             r.getDomainName(), url, new LdapURL(u), env);
-                     return ctx;
-+                } catch (AuthenticationException e) {
-+                    // do not retry on a different endpoint to avoid blocking
-+                    // the user if authentication credentials are wrong.
-+                    throw e;
-                 } catch (NamingException e) {
-                     // try the next element
-                     lastException = e;
-@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-         for (String u : urls) {
-             try {
-                 return getUsingURL(u, env);
-+            } catch (AuthenticationException e) {
-+                // do not retry on a different URL to avoid blocking
-+                // the user if authentication credentials are wrong.
-+                throw e;
-             } catch (NamingException e) {
-                 ex = e;
-             }
--- a/SOURCES/jdk8292223-tzdata2022b-kyiv.patch
+++ b/SOURCES/jdk8292223-tzdata2022b-kyiv.patch
@ -1,132 +0,0 @@
-diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-index 8759aab3995..11ccbf73839 100644
--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
-             {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
-                                            "Kirov Daylight Time", "GMT+03:00",
-                                            "Kirov Time", "GMT+03:00"}},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-index f007c1a8d3b..617268e4cf3 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-index 386414e16e6..14c5d89b9c5 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-index d23f5fd49e6..44117125619 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-index b4f57d4568c..efa818f3865 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-index 1a10a9f96dc..7c0565461ad 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-index 9a2d9e5c57c..8a2c805997f 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-index de5e5c82daa..e3c06417f09 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-index b53de4d8c89..3e46b6a063e 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-index 7797cda19d5..590908409a8 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-index 2cd10554853..23c5f180b6d 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@ -1,8 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
-nssModule = fips
-
-attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
-
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@ -5,6 +5,7 @@ TREE=${1}
 TYPE=${2}

 ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
 JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
 GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
 PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@ -31,15 +32,21 @@ cd ${TREE}

 echo "Removing built-in libs (they will be linked)"

-# On full runs, allow for zlib having already been deleted by minimal
+# On full runs, allow for zlib & freetype having already been deleted by minimal
 echo "Removing zlib"
 if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
 	echo "${ZIP_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -rvf ${FREETYPE_SRC}

-# Minimal is limited to just zlib so finish here
+# Minimal is limited to just zlib and freetype so finish here
 if test "x${TYPE}" = "xminimal"; then
    echo "Finished.";
    exit 0;
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
@ -23,6 +23,8 @@
 %bcond_without staticlibs
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs

 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@ -39,6 +41,16 @@
 %global build_hotspot_first 0
 %endif

+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -190,11 +202,15 @@
 %global staticlibs_loop %{nil}
 %endif

+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
 %ifarch %{bootstrap_arches}
 %global bootstrap_build true
 %else
 %global bootstrap_build false
 %endif
+%endif

 %if %{include_staticlibs}
 # Extra target for producing the static-libraries. Separate from
@ -305,8 +321,8 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 4
-%global patchver 1
+%global updatever 6
+%global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
 # and this it is better to change it here, on single place
@ -345,15 +361,15 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 0bd5ca9ccc5
+%global fipsver 72d08e3226f

 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        1
-%global rpmrelease      2
+%global buildver        9
+%global rpmrelease      3
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -379,7 +395,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@ -411,7 +427,7 @@
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
 %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
 %if %is_system_jdk
 %global __provides_exclude ^(%{_privatelibs})$
@ -815,6 +831,9 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@ -933,7 +952,7 @@ exit 0
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
 %endif
 %endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@ -972,11 +991,11 @@ exit 0
 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*

 %if %{with_systemtap}
 %dir %{tapsetroot}
@ -1099,8 +1118,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2022a required as of JDK-8283350 in 17.0.4
-Requires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+Requires: tzdata-java >= 2022g
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@ -1108,7 +1127,7 @@ Requires: lksctp-tools%{?_isa}
 # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
 # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
 # considered as regression
-Requires: copy-jdk-configs >= 4.0
+Requires: copy-jdk-configs >= 3.3
 OrderWithRequires: copy-jdk-configs
 %endif
 # for printing support
@ -1292,9 +1311,6 @@ Source15: TestSecurityProperties.java
 # Ensure vendor settings are correct
 Source16: CheckVendor.java

-# nss fips configuration file
-Source17: nss.fips.cfg.in
-
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java

@ -1317,11 +1333,9 @@ Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
 # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
-Patch7: jdk8292223-tzdata2022b-kyiv.patch

 # Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u-cpu-2022-07
+# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
 # as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
@ -1348,6 +1362,9 @@ Patch7: jdk8292223-tzdata2022b-kyiv.patch
 # Build the systemconf library on all platforms
 # RH2048582: Support PKCS#12 keystores
 # RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
 Patch1001: fips-17u-%{fipsver}.patch

 #############################################
@ -1355,12 +1372,16 @@ Patch1001: fips-17u-%{fipsver}.patch
 # OpenJDK patches in need of upstreaming
 #
 #############################################
-# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
-Patch2000: jdk8275535-rh2053256-ldap_auth.patch

 #############################################
 #
-# OpenJDK patches appearing in 17.0.3
+# OpenJDK patches appearing in 17.0.5
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
 #
 #############################################

@ -1373,14 +1394,8 @@ BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
 BuildRequires: fontconfig-devel
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
 BuildRequires: gcc-c++
 BuildRequires: gdb
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
 BuildRequires: libxslt
 BuildRequires: libX11-devel
 BuildRequires: libXi-devel
@ -1402,8 +1417,8 @@ BuildRequires: java-17-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2022a required as of JDK-8283350 in 17.0.4
-BuildRequires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+BuildRequires: tzdata-java >= 2022g
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8

@ -1412,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
 %endif
 BuildRequires: make

+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
 %{java_rpo %{nil}}
@ -1761,8 +1800,11 @@ if [ $prioritylength -ne 8 ] ; then
 fi

 # OpenJDK patches
+
+%if %{system_libs}
 # Remove libraries that are linked by both static and dynamic builds
 sh %{SOURCE12} %{top_level_dir_name}
+%endif

 # Patch the JDK
 pushd %{top_level_dir_name}
@ -1770,7 +1812,6 @@ pushd %{top_level_dir_name}
 %patch2 -p1
 %patch3 -p1
 %patch6 -p1
-%patch7 -p1
 # Add crypto policy and FIPS support
 %patch1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
@ -1779,8 +1820,6 @@ popd # openjdk

 %patch600

-%patch2000
-
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
 # configure does not automatically use the
@ -1798,8 +1837,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
    echo "WARNING: Designator mismatch";
    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    # Don't fail at present as upstream are not maintaining the value correctly
-    #exit 17
+    exit 17
 fi

 # Extract systemtap tapsets
@ -1851,9 +1889,6 @@ done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg

-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
-
 %build
 # How many CPU's do we have?
 export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@ -1897,6 +1932,14 @@ function buildjdk() {
    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
    local top_dir_abs_build_path=$(pwd)/${outputdir}

+    # This must be set using the global, so that the
+    # static libraries still use a dynamic stdc++lib
+    if [ "x%{link_type}" = "xbundled" ] ; then
+        libc_link_opt="static";
+    else
+        libc_link_opt="dynamic";
+    fi
+
    echo "Using output directory: ${outputdir}";
    echo "Checking build JDK ${buildjdk} is operational..."
    ${buildjdk}/bin/java -version
@ -1908,6 +1951,10 @@ function buildjdk() {
    mkdir -p ${outputdir}
    pushd ${outputdir}

+    # Note: zlib and freetype use %{link_type}
+    # rather than ${link_opt} as the system versions
+    # are always used in a system_libs build, even
+    # for the static library build
    bash ${top_dir_abs_src_path}/configure \
 %ifarch %{zero_arches}
    --with-jvm-variants=zero \
@ -1928,13 +1975,14 @@ function buildjdk() {
    --with-native-debug-symbols="%{debug_symbols}" \
    --disable-sysconf-nss \
    --enable-unlimited-crypto \
-    --with-zlib=system \
+    --with-zlib=%{link_type} \
+    --with-freetype=%{link_type} \
    --with-libjpeg=${link_opt} \
    --with-giflib=${link_opt} \
    --with-libpng=${link_opt} \
    --with-lcms=${link_opt} \
    --with-harfbuzz=${link_opt} \
-    --with-stdc++lib=dynamic \
+    --with-stdc++lib=${libc_link_opt} \
    --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
    --with-extra-cflags="$EXTRA_CFLAGS" \
    --with-extra-ldflags="%{ourldflags}" \
@ -1974,9 +2022,6 @@ function installjdk() {
 	# Install nss.cfg right away as we will be using the JRE above
 	install -m 644 nss.cfg ${imagepath}/conf/security/

-	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-	install -m 644 nss.fips.cfg ${imagepath}/conf/security/
-
 	# Turn on system security properties
 	sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
 	    ${imagepath}/conf/security/java.security
@ -2020,12 +2065,13 @@ for suffix in %{build_loop} ; do
    bootbuilddir=boot${builddir}

    if test "x${loop}" = "x%{main_suffix}" ; then
+      link_opt="%{link_type}"
+%if %{system_libs}
      # Copy the source tree so we can remove all in-tree libraries
      cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
      # Remove all libraries that are linked
      sh %{SOURCE12} %{top_level_dir_name} full
-      # Use system libraries
-      link_opt="system"
+%endif
      # Debug builds don't need same targets as release for
      # build speed-up. We also avoid bootstrapping these
      # slower builds.
@ -2043,9 +2089,11 @@ for suffix in %{build_loop} ; do
      else
        buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
      fi
+%if %{system_libs}
      # Restore original source tree we modified by removing full in-tree sources
      rm -rf %{top_level_dir_name}
      mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
    else
      # Use bundled libraries for building statically
      link_opt="bundled"
@ -2079,6 +2127,8 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli

 export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}

+# Pre-test setup
+
 #check Shenandoah is enabled
 %if %{use_shenandoah_hotspot}
 $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
@ -2112,12 +2162,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
 %endif

 # Check translations are available for new timezones
-$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \
-                     --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
-                     -d . %{SOURCE18}
-$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
-                    --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
-                    $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR

 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
@ -2376,10 +2423,9 @@ else
  return
  end
 end
-arg = nil ;  -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
-cjc = require "copy_jdk_configs.lua"
-args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
-cjc.mainProgram(args)
+-- run content of included file with fake args
+arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+require "copy_jdk_configs.lua"

 %post
 %{post_script %{nil}}
@ -2575,28 +2621,98 @@ cjc.mainProgram(args)
 %endif

 %changelog
-* Fri Sep 02 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
+* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
+- Update to jdk-17.0.6+9
+- Update release notes to 17.0.6+9
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- Resolves: rhbz#2150195
+
+* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.3.ea
+- Update to jdk-17.0.6+1
+- Update release notes to 17.0.6+1
+- Switch to EA mode for 17.0.6 pre-release builds.
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Bump tzdata requirement to 2022e now the package is available in RHEL
+- Related: rhbz#2150195
+
+* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-5
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2117972
+
+* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+- Resolves: rhbz#2133695
+
+* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+- Drop JDK-8288985 patch that is now upstream
+- Resolves: rhbz#2130617
+
+* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130617
+
+* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
+- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
+- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
+- Resolves: rhbz#2006351
+
+* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121263
+
+* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
+- Fix flatpak builds (catering for their uncompressed manual pages)
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102734
+
+* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
 - Update FIPS support to bring in latest changes
- * RH2023467: Enable FIPS keys export
 - * RH2104724: Avoid import/export of DH private keys
 - * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
 - * Build the systemconf library on all platforms
 - * RH2048582: Support PKCS#12 keystores
 - * RH2020290: Support TLS 1.3 in FIPS mode
- Resolves: rhbz#2123579
- Resolves: rhbz#2123580
- Resolves: rhbz#2123581
- Resolves: rhbz#2123583
- Resolves: rhbz#2123584
+- Resolves: rhbz#2104724
+- Resolves: rhbz#2092507
+- Resolves: rhbz#2048582
+- Resolves: rhbz#2020290

-* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-1
+* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
 - Update to jdk-17.0.4.1+1
 - Update release notes to 17.0.4.1+1
 - Add patch to provide translations for Europe/Kyiv added in tzdata2022b
 - Add test to ensure timezones can be translated
- Resolves: rhbz#2120058
+- Resolves: rhbz#2119531

-* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-0.2.ea
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
+- Update to jdk-17.0.4.0+8
+- Update release notes to 17.0.4.0+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106522
+
+* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
 - Revert the following changes until copy-java-configs has adapted to relative symlinks:
 - * Move cacerts replacement to install section and retain original of this and tzdb.dat
 - * Run tests on the installed image, rather than the build image
@ -2604,11 +2720,19 @@ cjc.mainProgram(args)
 - * Use relative symlinks so they work within the image
 - * Run debug symbols check during build stage, before the install strips them
 - The move of turning on system security properties is retained so we don't ship with them off
- Related: rhbz#2084779
+- Related: rhbz#2100674

-* Mon Jul 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-1
- Update to jdk-17.0.4.0+8
- Update release notes to 17.0.4.0+8
+* Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
+- retutrned absolute symlinks
+- relative symlinks are breaking cjc, and deeper investigations are necessary
+-- why cjc intentionally skips relative symllinks
+- images have to be workarounded differently
+- Related: rhbz#2100674
+
+* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.4.0+7
+- Update release notes to 17.0.4.0+7
+- Switch to EA mode for 17.0.4 pre-release builds.
 - Need to include the '.S' suffix in debuginfo checks after JDK-8284661
 - Print release file during build, which should now include a correct SOURCE value from .src-rev
 - Update tarball script with IcedTea GitHub URL and .src-rev generation
@ -2619,54 +2743,100 @@ cjc.mainProgram(args)
 - Explicitly require crypto-policies during build and runtime for system security properties
 - Make use of the vendor version string to store our version & release rather than an upstream release date
 - Include a test in the RPM to check the build has the correct vendor information.
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- * RH2094027: SunEC runtime permission for FIPS
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
+- Resolves: rhbz#2083316
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2083316
+
+* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
+- Fix whitespace in spec file
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
+- Sequence spec file sections as they are run by rpmbuild (build, install then test)
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
 - Turn on system security properties as part of the build's install section
 - Move cacerts replacement to install section and retain original of this and tzdb.dat
 - Run tests on the installed image, rather than the build image
 - Introduce variables to refer to the static library installation directories
 - Use relative symlinks so they work within the image
 - Run debug symbols check during build stage, before the install strips them
- Resolves: rhbz#2084779
- Resolves: rhbz#2099919
- Resolves: rhbz#2107943
- Resolves: rhbz#2107941
- Resolves: rhbz#2106523
+- Related: rhbz#2100674

-* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2084779
-
-* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-2
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2105395
+- Resolves: rhbz#2007331
+
+* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099840
+- Resolves: rhbz#2100674
+
+* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
+- Add rpminspect.yaml to turn off Java bytecode inspections
+- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
+- Resolves: rhbz#2101524
+
+* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2023467
+- Resolves: rhbz#2094027

 * Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
 - April 2022 security update to jdk 17.0.3+7
- Update to jdk-17.0.3.0+7 tarball
- Update release notes to 17.0.3.0+7
+- Update to jdk-17.0.3.0+7 release tarball
+- Update release notes to 17.0.3.0+6
 - Add missing README.md and generate_source_tarball.sh
- Resolves: rhbz#2073578
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+- Resolves: rhbz#2073577

-* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-13
+* Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050456
+
+* Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-15
 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
- Resolves: rhbz#2055383
+- Resolves: rhbz#2052070

-* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2023540
-
-* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
+* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-14
 - Introduce tests/tests.yml, based on the one in java-11-openjdk
- Resolves: rhbz#2058490
+- Resolves: rhbz#2058493
+
+* Sun Feb 27 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-13
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+  secmod.db file as part of nss
+- Resolves: rhbz#2023536
+
+* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2051605
+
+* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053256

 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10
 - Storing and restoring alterntives during update manually
@ -2678,30 +2848,28 @@ cjc.mainProgram(args)
 -- the selection in family
 -- Thus this fix, is storing the family of manually selected master, and if
 -- stored, then it is restoring the family of the master
- Resolves: rhbz#2008206
+- Resolves: rhbz#2008200

 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9
 - Family extracted to globals
- Related: rhbz#2008206
+- Resolves: rhbz#2008200

-* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Resolves: rhbz#2052829
+* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-8
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008200

-* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053521
-
-* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
+* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
 - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052819
+- Resolves: rhbz#2051590

-* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
+* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
 - Fix FIPS issues in native code and with initialisation of java.security.Security
- Resolves: rhbz#2023531
+- Resolves: rhbz#2023378

-* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4
+* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
 - Restructure the build so a minimal initial build is then used for the final build (with docs)
 - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
 - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
@ -2714,108 +2882,92 @@ cjc.mainProgram(args)
 - Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
 - Explicitly list JIT architectures rather than relying on those with slowdebug builds
 - Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Resolves: rhbz#2022826
+- Resolves: rhbz#2022822

-* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
+* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-5
 - Replaced tabs by sets of spaces to make rpmlint happy
 - javadoc-zip gets its own provides next to plain javadoc ones
- Resolves: rhbz#2022826
+- Resolves: rhbz#2022822

-* Wed Feb 16 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-3
+* Tue Feb 08 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
 - Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2022826
+- Related: rhbz#2022822

-* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
+* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3
 - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
 - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
- Related: rhbz#2022826
+- Related: rhbz#2022822

-* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
+* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-2
+- Set LTS designator.
+- Related: rhbz#2022822
+
+* Wed Jan 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
 - January 2022 security update to jdk 17.0.2+8
 - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
 - Rename libsvml.so to libjsvml.so following JDK-8276025
- Drop JDK-8276572 patch which is now upstream
- Resolves: rhbz#2039392
+- Resolves: rhbz#2039366

-* Thu Feb 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
+* Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
 - Sync desktop files with upstream IcedTea release 3.15.0 using new script
- Related: rhbz#2022826
+- Related: rhbz#2013842

-* Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-2
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
-  secmod.db file as part of nss
- Resolves: rhbz#2023537
+* Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- Resolves: rhbz#2013842

-* Tue Nov 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-1
- Drop JDK-8272332 patch now included upstream.
- Resolves: rhbz#2013846
-
-* Tue Nov 16 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1
+* Wed Oct 20 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-2
 - October CPU update to jdk 17.0.1+12
 - Dropped commented-out source line
- Resolves: rhbz#2013846
+- Resolves: rhbz#2013842

-* Tue Nov 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-8
- Extend LTS check to exclude EPEL.
- Related: rhbz#2013846
-
-* Tue Nov 09 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.35-8
- Set LTS designator.
- Related: rhbz#2013846
-
-* Mon Nov 08 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-7
- alternatives creation moved to posttrans
- Thus fixing the old reinstall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008206
-
-* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
- Related: rhbz#2013846
-
-* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
+* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
 - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1994682
+- Resolves: rhbz#1994661

-* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5
+* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-6
 - Add patch to allow plain key import.
- Resolves: rhbz#1994682
+- Resolves: rhbz#1994661

-* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4
+* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
 - Update release notes to document the major changes between OpenJDK 11 & 17.
- Resolves: rhbz#2000925
+- Resolves: rhbz#2003072

 * Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
 - Update to jdk-17+35, also known as jdk-17-ga.
 - Switch to GA mode.
 - Add JDK-8272332 fix so we actually link against HarfBuzz.
- Resolves: rhbz#2000925
+- Resolves: rhbz#2003072
+- Resolves: rhbz#2004078

 * Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
- Resolves: rhbz#1997359
+- Resolves: rhbz#1996182

 * Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
 - Fix unused function compiler warning found in systemconf.c
- Related: rhbz#1995889
+- Related: rhbz#1995150

 * Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
 - Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#1997359
+- Resolves: rhbz#1996182

 * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
 - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
- Resolves: rhbz#1995889
+- Resolves: rhbz#1995150

 * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea
 - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
 - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Related: rhbz#1995889
+- Related: rhbz#1995150

 * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea
 - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Related: rhbz#1995889
+- Related: rhbz#1995150

 * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea
 - Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
@ -2826,56 +2978,51 @@ cjc.mainProgram(args)
 - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
 - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
 - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
- Related: rhbz#1995889
+- Related: rhbz#1995150

 * Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea
 - Support the FIPS mode crypto policy (RH1655466)
 - Use appropriate keystore types when in FIPS mode (RH1818909)
 - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
- Related: rhbz#1995889
+- Related: rhbz#1995150

 * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea
 - Update to jdk-17+33, including JDWP fix and July 2021 CPU
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

 * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea
 - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
 - Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:17.0.0.0.26-0.4.ea.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Wed Jul 14 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
+* Wed Aug 25 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
 - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

-* Tue Jul 13 2021 Jiri Vanek <pmikova@redhat.com> - 1:17.0.0.0.26-0.3.ea
- Add gating support
- Resolves: rhbz#1870625
-
-* Fri Jun 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
+* Wed Aug 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.3.ea
 - Re-enable TestSecurityProperties after inclusion of PR3695
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

-* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
+* Wed Aug 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.3.ea
 - Add PR3695 to allow the system crypto policy to be turned off
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

-* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.1.ea
+* Wed Jul 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
 - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

-* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.1.ea
+* Wed Jul 14 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
 - Update buildjdkver to 17 so as to build with itself
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487
+
+* Tue Jul 13 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.26-0.1.ea
+- Add gating support
+- Resolves: rhbz#1959487

 * Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea
- Rename to java-17-openjdk and bootstrap using boot JDK in local sources
+- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
 - Exclude x86 as this is not supported by OpenJDK 17
- Use unzip to test src.zip to avoid looking for jar on path
- Resolves: rhbz#1870625
+- Resolves: rhbz#1959487

 * Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
 - update sources to jdk 17.0.0+26
@ -2889,9 +3036,6 @@ cjc.mainProgram(args)
 - add lib/libsvml.so for intel
 - skip debuginfo check for libsyslookup.so on s390x

-* Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
-
 * Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> -  1:16.0.1.0.9-2.rolling
 - adapted to debug handling  in newer cjc
 - The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution