diff --git a/generate-tarball.sh b/generate-tarball.sh
index 4bb8914..533a800 100755
--- a/generate-tarball.sh
+++ b/generate-tarball.sh
@@ -5,7 +5,7 @@ name=xalan-j2
 version="$(sed -n 's/Version:\s*//p' *.spec)"
 
 # RETRIEVE
-wget "http://archive.apache.org/dist/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
+wget "http://apache.miloslavbrada.cz/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
 
 rm -rf tarball-tmp
 mkdir tarball-tmp
@@ -15,8 +15,7 @@ tar xf "../${name}-${version}.orig.tar.gz"
 # CLEAN TARBALL
 find -name '*.jar' -delete
 find -name '*.class' -delete
-rm */src/*.tar.gz
 
-tar cf "../${name}-${version}.tar.gz" *
+tar czf "../${name}-${version}.tar.gz" *
 cd ..
 rm -r tarball-tmp "${name}-${version}.orig.tar.gz"
diff --git a/sources b/sources
index 2c6d2e0..9e100e3 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (xalan-j2-2.7.2.tar.gz) = 8f03d3e8f239a1efe71b8b4e3830f21c35fdeda69465bec377f139718e0ce0e842dde3b3a9a8922d14d0d3ad91f731134c604d71bc66aeb26e78ab0cbb0776a6
+SHA512 (xalan-j2-2.7.2.tar.gz) = d30cc8179eb98704f8bbab80b6462565b177bc9cee99be042f0cad0d34924446574ae849f735fcc0cbbbcd81963c1b1bc0f76d8f981109ae168b21cb057c0eef
 SHA512 (xalan-2.7.2.pom) = 4b95e3eb3a2ab262c9a27040a5214cfb8c49c36ece8e71a933074eb063205ef96deff351f017b034c9c97d43d77b020482aade7bc01e1245d8ee10a51269c5ce
 SHA512 (serializer-2.7.2.pom) = 1a20cd7008ab876f9605a67515d558b26b9be009c4f49cb27ddf5aa715b5d164c476c236b6d6edf39e81538dfb1516271c3859af8e73f8cdbeee24efb45e9a44
 SHA512 (xsltc-2.7.2.pom) = 89c5c2cd358c32a9b8073869abdcb1df21a95c21a1a099c1b91f25ac3de7fdf9893977cb227efa4dad1de29773aaaef155155d1ec8648aae3c2e512154c200ef
diff --git a/xalan-j2-CVE-2014-0107.patch b/xalan-j2-CVE-2014-0107.patch
new file mode 100644
index 0000000..3358f60
--- /dev/null
+++ b/xalan-j2-CVE-2014-0107.patch
@@ -0,0 +1,148 @@
+diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+index 1298943..96a5e58 100644
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
+           reader = XMLReaderFactory.createXMLReader();
+         }
+ 
++        if(m_isSecureProcessing)
++        {
++            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++        }
+         // Need to set options!
+         reader.setContentHandler(handler);
+         reader.parse(isource);
+diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+index b946743..17b7395 100644
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
+       }
+       else
+       {
+-        // Can we switch the order here:
+-
+-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+-                             attributes.getQName(i), attributes.getValue(i),
+-                             target);
+-                             
+-        // Now we only add the element if it passed a validation check
+-        if (success)
+-            processedDefs.add(attrDef);
+-        else
+-            errorDefs.add(attrDef);
++        //handle secure processing
++        if(handler.getStylesheetProcessor()==null)
++            System.out.println("stylesheet processor null");
++        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++        {
++            //foreign attributes are not allowed in secure processing mode
++            // Then barf, because this element does not allow this attribute.
++            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++            //+ " attribute is not allowed on the " + rawName
++            // + " element!", null);
++        }
++        else
++        {
++
++
++            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++                                 attributes.getQName(i), attributes.getValue(i),
++                                 target);
++
++            // Now we only add the element if it passed a validation check
++            if (success)
++                processedDefs.add(attrDef);
++            else
++                errorDefs.add(attrDef);
++        }
+       }
+     }
+ 
+diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
+index dd0d4d9..0906d24 100644
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
+     try
+     {
+       if (sroot.getExtensions() != null)
+-        m_extensionsTable = new ExtensionsTable(sroot);
++        //only load extensions if secureProcessing is disabled
++        if(!sroot.isSecureProcessing())
++            m_extensionsTable = new ExtensionsTable(sroot);
+     }
+     catch (javax.xml.transform.TransformerException te)
+     {te.printStackTrace();}
+diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
+index 4bea356..78ac980 100644
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+     String fullName = m_arg0.execute(xctxt).str();
+     int indexOfNSSep = fullName.indexOf(':');
+-    String result;
++    String result = null;
+     String propName = "";
+ 
+     // List of properties where the name of the
+@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+         try
+         {
+-          result = System.getProperty(propName);
+-
+-          if (null == result)
+-          {
+-
+-            // result = System.getenv(propName);
+-            return XString.EMPTYSTRING;
+-          }
++            //if secure procession is enabled only handle required properties do not not map any valid system property
++            if(!xctxt.isSecureProcessing())
++            {
++                result = System.getProperty(propName);
++            }
++            else
++            {
++                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
++            }
++            if (null == result)
++            {
++                return XString.EMPTYSTRING;
++            }
+         }
+         catch (SecurityException se)
+         {
+@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
+     {
+       try
+       {
+-        result = System.getProperty(fullName);
+-
+-        if (null == result)
+-        {
+-
+-          // result = System.getenv(fullName);
+-          return XString.EMPTYSTRING;
+-        }
++          //if secure procession is enabled only handle required properties do not not map any valid system property
++          if(!xctxt.isSecureProcessing())
++          {
++              result = System.getProperty(fullName);
++          }
++          else
++          {
++              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
++          }
++          if (null == result)
++          {
++              return XString.EMPTYSTRING;
++          }
+       }
+       catch (SecurityException se)
+       {
diff --git a/xalan-j2-MANIFEST.MF b/xalan-j2-MANIFEST.MF
index 2947cce..f5d77cf 100644
--- a/xalan-j2-MANIFEST.MF
+++ b/xalan-j2-MANIFEST.MF
@@ -5,48 +5,48 @@ Main-Class: org.apache.xalan.xslt.Process
 Bundle-ManifestVersion: 2
 Bundle-Name: %Bundle-Name.0
 Bundle-SymbolicName: org.apache.xalan
-Bundle-Version: 2.7.2
+Bundle-Version: 2.7.1
 Bundle-Vendor: %Bundle-Vendor.0
-Export-Package: org.apache.regexp;version="2.7.2",
- org.apache.xalan;version="2.7.2",
- org.apache.xalan.client;version="2.7.2",
- org.apache.xalan.extensions;version="2.7.2",
- org.apache.xalan.lib;version="2.7.2",
- org.apache.xalan.lib.sql;version="2.7.2",
- org.apache.xalan.processor;version="2.7.2",
- org.apache.xalan.res;version="2.7.2",
- org.apache.xalan.serialize;version="2.7.2",
- org.apache.xalan.templates;version="2.7.2",
- org.apache.xalan.trace;version="2.7.2",
- org.apache.xalan.transformer;version="2.7.2",
- org.apache.xalan.xslt;version="2.7.2",
- org.apache.xalan.xsltc;version="2.7.2",
- org.apache.xalan.xsltc.cmdline;version="2.7.2",
- org.apache.xalan.xsltc.cmdline.getopt;version="2.7.2",
- org.apache.xalan.xsltc.compiler;version="2.7.2",
- org.apache.xalan.xsltc.compiler.util;version="2.7.2",
- org.apache.xalan.xsltc.dom;version="2.7.2",
- org.apache.xalan.xsltc.runtime;version="2.7.2",
- org.apache.xalan.xsltc.runtime.output;version="2.7.2",
- org.apache.xalan.xsltc.trax;version="2.7.2",
- org.apache.xalan.xsltc.util;version="2.7.2",
- org.apache.xml.dtm;version="2.7.2",
- org.apache.xml.dtm.ref;version="2.7.2",
- org.apache.xml.dtm.ref.dom2dtm;version="2.7.2",
- org.apache.xml.dtm.ref.sax2dtm;version="2.7.2",
- org.apache.xml.res;version="2.7.2",
- org.apache.xml.utils;version="2.7.2",
- org.apache.xml.utils.res;version="2.7.2",
- org.apache.xpath;version="2.7.2",
- org.apache.xpath.axes;version="2.7.2",
- org.apache.xpath.compiler;version="2.7.2",
- org.apache.xpath.domapi;version="2.7.2",
- org.apache.xpath.functions;version="2.7.2",
- org.apache.xpath.jaxp;version="2.7.2",
- org.apache.xpath.objects;version="2.7.2",
- org.apache.xpath.operations;version="2.7.2",
- org.apache.xpath.patterns;version="2.7.2",
- org.apache.xpath.res;version="2.7.2"
+Export-Package: org.apache.regexp;version="2.7.1",
+ org.apache.xalan;version="2.7.1",
+ org.apache.xalan.client;version="2.7.1",
+ org.apache.xalan.extensions;version="2.7.1",
+ org.apache.xalan.lib;version="2.7.1",
+ org.apache.xalan.lib.sql;version="2.7.1",
+ org.apache.xalan.processor;version="2.7.1",
+ org.apache.xalan.res;version="2.7.1",
+ org.apache.xalan.serialize;version="2.7.1",
+ org.apache.xalan.templates;version="2.7.1",
+ org.apache.xalan.trace;version="2.7.1",
+ org.apache.xalan.transformer;version="2.7.1",
+ org.apache.xalan.xslt;version="2.7.1",
+ org.apache.xalan.xsltc;version="2.7.1",
+ org.apache.xalan.xsltc.cmdline;version="2.7.1",
+ org.apache.xalan.xsltc.cmdline.getopt;version="2.7.1",
+ org.apache.xalan.xsltc.compiler;version="2.7.1",
+ org.apache.xalan.xsltc.compiler.util;version="2.7.1",
+ org.apache.xalan.xsltc.dom;version="2.7.1",
+ org.apache.xalan.xsltc.runtime;version="2.7.1",
+ org.apache.xalan.xsltc.runtime.output;version="2.7.1",
+ org.apache.xalan.xsltc.trax;version="2.7.1",
+ org.apache.xalan.xsltc.util;version="2.7.1",
+ org.apache.xml.dtm;version="2.7.1",
+ org.apache.xml.dtm.ref;version="2.7.1",
+ org.apache.xml.dtm.ref.dom2dtm;version="2.7.1",
+ org.apache.xml.dtm.ref.sax2dtm;version="2.7.1",
+ org.apache.xml.res;version="2.7.1",
+ org.apache.xml.utils;version="2.7.1",
+ org.apache.xml.utils.res;version="2.7.1",
+ org.apache.xpath;version="2.7.1",
+ org.apache.xpath.axes;version="2.7.1",
+ org.apache.xpath.compiler;version="2.7.1",
+ org.apache.xpath.domapi;version="2.7.1",
+ org.apache.xpath.functions;version="2.7.1",
+ org.apache.xpath.jaxp;version="2.7.1",
+ org.apache.xpath.objects;version="2.7.1",
+ org.apache.xpath.operations;version="2.7.1",
+ org.apache.xpath.patterns;version="2.7.1",
+ org.apache.xpath.res;version="2.7.1"
 Require-Bundle: system.bundle, org.apache.xerces
 Eclipse-BuddyPolicy: registered
 
@@ -56,20 +56,20 @@ Specification-Title: Java API for XML Processing
 Specification-Vendor: Sun Microsystems Inc.
 Specification-Version: 1.3
 Implementation-Title: org.apache.xalan
-Implementation-Version: 2.7.2
+Implementation-Version: 2.7.1
 Implementation-Vendor: Apache Software Foundation
 Implementation-URL: http://xml.apache.org/xalan-j/dist/
 
 Name: org/apache/xml/
 Comment: DTM implementation and utilities
 Implementation-Title: org.apache.xml
-Implementation-Version: 2.7.2
+Implementation-Version: 2.7.1
 Implementation-Vendor: Apache Software Foundation
 Implementation-URL: http://xml.apache.org/xalan-j/dist/
 
 Name: org/apache/xpath/
 Comment: XPath engine
 Implementation-Title: org.apache.xpath
-Implementation-Version: 2.7.2
+Implementation-Version: 2.7.1
 Implementation-Vendor: Apache Software Foundation
 Implementation-URL: http://xml.apache.org/xalan-j/dist/
diff --git a/xalan-j2.spec b/xalan-j2.spec
index 09f10d9..f90aec0 100644
--- a/xalan-j2.spec
+++ b/xalan-j2.spec
@@ -1,39 +1,8 @@
-# Copyright (c) 2000-2005, JPackage Project
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the
-#    distribution.
-# 3. Neither the name of the JPackage Project nor the names of its
-#    contributors may be used to endorse or promote products derived
-#    from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-
-%global cvs_version 2_7_2
+%global cvs_version %(echo %{version} | tr . _)
 
 Name:           xalan-j2
 Version:        2.7.2
-Release:        8%{?dist}
-Epoch:          0
+Release:        9%{?dist}
 Summary:        Java XSLT processor
 # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
 License:        ASL 2.0 and W3C
@@ -41,15 +10,15 @@ URL:            http://xalan.apache.org/
 
 # ./generate-tarball.sh
 Source0:        %{name}-%{version}.tar.gz
-Source1:        %{name}-serializer-MANIFEST.MF
+Source1:        xalan-j2-serializer-MANIFEST.MF
 Source2:        http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom
 Source3:        http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom
 Source4:        xsltc-%{version}.pom
-Source5:        %{name}-MANIFEST.MF
+Source5:        xalan-j2-MANIFEST.MF
 # Remove bundled binaries which cannot be easily verified for licensing
 Source6:        generate-tarball.sh
 
-Patch0:         %{name}-noxsltcdeps.patch
+Patch0:         xalan-j2-noxsltcdeps.patch
 
 BuildArch:      noarch
 
@@ -60,10 +29,8 @@ BuildRequires:  bcel
 BuildRequires:  java_cup
 BuildRequires:  regexp
 BuildRequires:  sed
-BuildRequires:  glassfish-servlet-api
 BuildRequires:  xerces-j2 >= 0:2.7.1
 BuildRequires:  xml-commons-apis >= 0:1.3
-BuildRequires:  java-1.8.0-openjdk-devel
 
 Requires:       xerces-j2
 
@@ -95,22 +62,6 @@ License:        ASL 2.0
 %description    manual
 Documentation for %{name}.
 
-%package        javadoc
-Summary:        Javadoc for %{name}
-License:        ASL 2.0
-
-%description    javadoc
-Javadoc for %{name}.
-
-%package        demo
-Summary:        Demo for %{name}
-License:        ASL 2.0
-Requires:       %{name} = %{epoch}:%{version}-%{release}
-Requires:       glassfish-servlet-api
-
-%description    demo
-Demonstrations and samples for %{name}.
-
 %prep
 %setup -q -n xalan-j_%{cvs_version}
 %patch0 -p0
@@ -118,7 +69,8 @@ Demonstrations and samples for %{name}.
 find . -name '*.jar' -delete
 find . -name '*.class' -delete
 
-sed -i '/<!-- Expand jaxp sources/,/<delete file="${xml-commons-srcs.tar}"/{d}' build.xml
+sed -i '/<bootclasspath/d' build.xml
+(cd ./src && tar xf xml-commons-external-*-src.tar.gz)
 
 # Remove classpaths from manifests
 sed -i '/class-path/I d' $(find -iname '*manifest*')
@@ -133,7 +85,6 @@ sed -i 's/\r//' KEYS LICENSE.txt NOTICE.txt xdocs/style/resources/script.js \
 %mvn_package :xsltc xsltc
 
 %build
-export JAVA_HOME=%{_jvmdir}/java-1.8.0-openjdk
 pushd lib
 ln -sf $(build-classpath java_cup-runtime) runtime.jar
 ln -sf $(build-classpath bcel) BCEL.jar
@@ -147,16 +98,14 @@ ln -sf $(build-classpath ant) ant.jar
 popd
 export CLASSPATH=$(build-classpath glassfish-servlet-api)
 
-ant -Dcompiler.source=1.8 -Dcompiler.target=1.8 \
+ant \
+  -Dcompiler.source=1.6 \
+  -Dcompiler.target=1.6 \
   -Djava.awt.headless=true \
-  -Dapi.j2se=%{_javadocdir}/java \
   -Dbuild.xalan-interpretive.jar=build/xalan-interpretive.jar \
   xalan-interpretive.jar\
   xsltc.unbundledjar \
-  docs \
-  javadocs \
-  samples \
-  servlet
+  docs
 
 # inject OSGi manifests
 jar ufm build/serializer.jar %{SOURCE1}
@@ -167,18 +116,7 @@ jar ufm build/xalan-interpretive.jar %{SOURCE5}
 %mvn_artifact %{SOURCE4} build/xsltc.jar
 
 %install
-%mvn_install -J build/docs/apidocs
-
-# demo
-install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/%{name}
-install -p -m 644 build/xalansamples.jar \
-  $RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-samples.jar
-install -p -m 644 build/xalanservlet.war \
-  $RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-servlet.war
-cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
-
-# fix link between manual and javadoc
-(cd build/docs; ln -sf %{_javadocdir}/%{name} apidocs)
+%mvn_install
 
 %post
 # update-alternatives will remove the symlink - preserve it
@@ -199,14 +137,10 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
 %license LICENSE.txt NOTICE.txt
 %doc build/docs/*
 
-%files javadoc
-%license LICENSE.txt NOTICE.txt
-%doc %{_javadocdir}/%{name}
-
-%files demo
-%{_datadir}/%{name}
-
 %changelog
+* Mon Jun 28 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-9
+- Build with OpenJDK 11
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0:2.7.2-8
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
@@ -228,12 +162,21 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
+* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-2
+- Mass rebuild for javapackages-tools 201902
+
 * Wed Oct 16 2019 Fabio Valentini <decathorpe@gmail.com> - 0:2.7.2-1
 - Update to version 2.7.2.
 
+* Wed Jul 31 2019 Marian Koncek <mkoncek@redhat.com> - 2.7.2-1
+- Update to upstream version 2.7.2
+
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.1-40
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
+* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.1-39
+- Mass rebuild for javapackages-tools 201901
+
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.1-39
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild