diff --git a/.gitignore b/.gitignore
index 7ba5754..fc72544 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
 SOURCES/class-rewriter.tar.gz
-SOURCES/openjdk-icedtea-2.6.8.tar.xz
+SOURCES/openjdk-icedtea-2.6.9.tar.xz
 SOURCES/pulseaudio.tar.gz
 SOURCES/systemtap-tapset-2016-07-20.tar.xz
diff --git a/.java-1.7.0-openjdk.metadata b/.java-1.7.0-openjdk.metadata
index dff9f27..6db2a35 100644
--- a/.java-1.7.0-openjdk.metadata
+++ b/.java-1.7.0-openjdk.metadata
@@ -1,4 +1,4 @@
 fcc167de17354efb6e52cb387eb3e7dbb0316b53 SOURCES/class-rewriter.tar.gz
-4679bc029f4c62f3f6fcef82b5418429f215048c SOURCES/openjdk-icedtea-2.6.8.tar.xz
+ab167e7666de62316bdbee393b3628479b35206b SOURCES/openjdk-icedtea-2.6.9.tar.xz
 fb72b6b1f4735ad9b5799d0b5058b0b1dec67b17 SOURCES/pulseaudio.tar.gz
 99b0cc8fa222bc6339374cfb8f8560d911613502 SOURCES/systemtap-tapset-2016-07-20.tar.xz
diff --git a/SOURCES/fsg.sh b/SOURCES/fsg.sh
index b5513eb..7325163 100644
--- a/SOURCES/fsg.sh
+++ b/SOURCES/fsg.sh
@@ -130,3 +130,5 @@ else
     echo "Applying ${PR2124}"
     patch -Np0 < $PR2124
 fi;
+echo "Cleaning up after patch application"
+find . -name '*.orig' | xargs rm -vf
diff --git a/SOURCES/pr2809.patch b/SOURCES/pr2809.patch
index 32f1c39..5163bd6 100644
--- a/SOURCES/pr2809.patch
+++ b/SOURCES/pr2809.patch
@@ -1,63 +1,55 @@
-# HG changeset patch
-# User xuelei
-# Date 1453868482 0
-#      Wed Jan 27 04:21:22 2016 +0000
-# Node ID 8d589911411743fa38badf69c10aa067eaa996b7
-# Parent  ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5
-8076221, PR2809: Disable RC4 cipher suites
-Reviewed-by: wetmore
-
-diff -r 88b089373a3c src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-linux	Mon Apr 18 07:48:12 2016 +0100
-@@ -437,7 +437,7 @@
+diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux
+--- openjdk/jdk/src/share/lib/security/java.security-linux
++++ openjdk/jdk/src/share/lib/security/java.security-linux
+@@ -501,7 +501,7 @@
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
--jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
-+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
+-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
+     EC keySize < 224
  
  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.
-diff -r 88b089373a3c src/share/lib/security/java.security-macosx
---- openjdk/jdk/src/share/lib/security/java.security-macosx	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-macosx	Mon Apr 18 07:48:12 2016 +0100
-@@ -442,7 +442,7 @@
+diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx
+--- openjdk/jdk/src/share/lib/security/java.security-macosx
++++ openjdk/jdk/src/share/lib/security/java.security-macosx
+@@ -506,7 +506,7 @@
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
--jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
-+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
+-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
+     EC keySize < 224
  
  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.
-diff -r 88b089373a3c src/share/lib/security/java.security-solaris
---- openjdk/jdk/src/share/lib/security/java.security-solaris	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-solaris	Mon Apr 18 07:48:12 2016 +0100
-@@ -441,7 +441,7 @@
+diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris
+--- openjdk/jdk/src/share/lib/security/java.security-solaris
++++ openjdk/jdk/src/share/lib/security/java.security-solaris
+@@ -505,7 +505,7 @@
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
--jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
-+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
+-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
+     EC keySize < 224
  
  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.
-diff -r 88b089373a3c src/share/lib/security/java.security-windows
---- openjdk/jdk/src/share/lib/security/java.security-windows	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-windows	Mon Apr 18 07:48:12 2016 +0100
-@@ -442,7 +442,7 @@
+diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows
+--- openjdk/jdk/src/share/lib/security/java.security-windows
++++ openjdk/jdk/src/share/lib/security/java.security-windows
+@@ -506,7 +506,7 @@
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
--jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
-+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
+-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
+     EC keySize < 224
  
  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.
-diff -r 88b089373a3c test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
 @@ -0,0 +1,362 @@
 +/*
 + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
@@ -421,9 +413,9 @@ diff -r 88b089373a3c test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
 +
 +
 +}
-diff -r 88b089373a3c test/sun/security/krb5/auto/SSL.java
---- openjdk/jdk/test/sun/security/krb5/auto/SSL.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/krb5/auto/SSL.java b/test/sun/security/krb5/auto/SSL.java
+--- openjdk/jdk/test/sun/security/krb5/auto/SSL.java
++++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
@@ -449,9 +441,9 @@ diff -r 88b089373a3c test/sun/security/krb5/auto/SSL.java
  
          krb5Cipher = args[0];
  
-diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
---- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
+--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
@@ -479,11 +471,11 @@ diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHa
          String keyFilename =
              System.getProperty("test.src", "./") + "/" + pathToStores +
                  "/" + keyStoreFile;
-diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
---- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Mon Apr 18 07:48:12 2016 +0100
-@@ -102,10 +102,10 @@
- import java.nio.*;
+diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
+--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
+@@ -103,10 +103,10 @@
+ import java.security.Security;
  import java.security.KeyStore;
  import java.security.KeyFactory;
 +import java.security.Security;
@@ -492,11 +484,11 @@ diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExc
  import java.security.spec.PKCS8EncodedKeySpec;
 -import java.security.spec.*;
  import java.security.interfaces.*;
- import java.util.Base64;
+ import sun.misc.BASE64Decoder;
  
-diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
+--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
@@ -514,9 +506,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Check
  
          CheckStatus cs;
  
-diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
+--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
 @@ -33,6 +33,8 @@
   * The code could certainly be tightened up a lot.
   *
@@ -537,9 +529,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Conne
          ConnectionTest ct = new ConnectionTest();
          ct.test();
      }
-diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
+--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
 @@ -180,6 +180,9 @@
      }
  
@@ -550,9 +542,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Large
  
          LargeBufs test;
  
-diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Apr 18 06:49:52 2016 +0100
-+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Apr 18 07:48:12 2016 +0100
+diff --git a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
+--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
 @@ -37,7 +37,7 @@
   */
  
diff --git a/SOURCES/rh1022017.patch b/SOURCES/rh1022017.patch
index 3468779..3585029 100644
--- a/SOURCES/rh1022017.patch
+++ b/SOURCES/rh1022017.patch
@@ -1,44 +1,28 @@
-diff -r cdfd161703ed src/share/classes/sun/security/ssl/HelloExtensions.java
---- openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java	Wed Oct 23 05:22:55 2013 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java	Thu Nov 07 12:41:45 2013 +0000
-@@ -435,25 +435,11 @@
-     // the extension value to send in the ClientHello message
-     static final SupportedEllipticCurvesExtension DEFAULT;
- 
--    private static final boolean fips;
--
-     static {
--        int[] ids;
--        fips = SunJSSE.isFIPS();
--        if (fips == false) {
--            ids = new int[] {
--                // NIST curves first
--                // prefer NIST P-256, rest in order of increasing key length
--                23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14,
--                // non-NIST curves
--                15, 16, 17, 2, 18, 4, 5, 20, 8, 22,
--            };
--        } else {
--            ids = new int[] {
--                // same as above, but allow only NIST curves in FIPS mode
--                23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14,
--            };
--        }
-+	int[] ids = new int[] {
-+	    // NSS currently only supports these three NIST curves
-+	    23, 24, 25
-+	};
-         DEFAULT = new SupportedEllipticCurvesExtension(ids);
-     }
- 
-@@ -545,10 +531,6 @@
-         if ((index <= 0) || (index >= NAMED_CURVE_OID_TABLE.length)) {
-             return false;
-         }
--        if (fips == false) {
--            // in non-FIPS mode, we support all valid indices
--            return true;
--        }
-         return DEFAULT.contains(index);
-     }
+diff --git a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
+--- openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
+@@ -160,20 +160,10 @@
+                 }
+             }
+         } else {        // default curves
+-            int[] ids;
+-            if (requireFips) {
+-                ids = new int[] {
+-                    // only NIST curves in FIPS mode
+-                    23, 24, 25, 9, 10, 11, 12, 13, 14,
+-                };
+-            } else {
+-                ids = new int[] {
+-                    // NIST curves first
+-                    23, 24, 25, 9, 10, 11, 12, 13, 14,
+-                    // non-NIST curves
+-                    22,
+-                };
+-            }
++            int[] ids = new int[] { 
++		// NSS currently only supports these three NIST curves
++		23, 24, 25
++	    };
  
+             idList = new ArrayList<>(ids.length);
+             for (int curveId : ids) {
diff --git a/SPECS/java-1.7.0-openjdk.spec b/SPECS/java-1.7.0-openjdk.spec
index 6d8679d..61d2c68 100644
--- a/SPECS/java-1.7.0-openjdk.spec
+++ b/SPECS/java-1.7.0-openjdk.spec
@@ -5,7 +5,7 @@
 # conflicting) files in the -debuginfo package
 %undefine _missing_build_ids_terminate_build
 
-%global icedtea_version 2.6.8
+%global icedtea_version 2.6.9
 %global hg_tag icedtea-{icedtea_version}
 
 %global aarch64			aarch64 arm64 armv8
@@ -138,7 +138,7 @@
 
 # Standard JPackage naming and versioning defines.
 %global origin          openjdk
-%global updatever       121
+%global updatever       131
 %global buildver        00
 # Keep priority on 7digits in case updatever>9
 %global priority        1700%{updatever}
@@ -1118,7 +1118,8 @@ if [ "$1" -gt 1 ]; then
        "${sum}" = '9b517554fffe801f6894dfa0e8169cb1' -o \
        "${sum}" = '795b59e52fe426f59d76d43defafabab' -o \
        "${sum}" = 'ec53f8629ce93fd2d8cdb1a143cbefdf' -o \
-       "${sum}" = '7969a8d2dbc8db1ee232097cd0375d65' ]; then
+       "${sum}" = '7969a8d2dbc8db1ee232097cd0375d65' -o \
+       "${sum}" = '8576d747a8d0811c3df016b421c38d32' ]; then
     if [ -f "${javasecurity}.rpmnew" ]; then
       mv -f "${javasecurity}.rpmnew" "${javasecurity}"
     fi
@@ -1372,6 +1373,7 @@ exit 0
 %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/local_policy.jar
 %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.policy
 %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.security
+%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/blacklisted.certs
 %config(noreplace) %{_jvmdir}/%{jredir}/lib/logging.properties
 %{_mandir}/man1/java-%{uniquesuffix}.1*
 %{_mandir}/man1/keytool-%{uniquesuffix}.1*
@@ -1470,6 +1472,17 @@ exit 0
 %{_jvmdir}/%{jredir}/lib/accessibility.properties
 
 %changelog
+* Tue Feb 07 2017 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.7.0.131-2.6.9.0
+- Add blacklisted.certs to installation file list.
+- Resolves: rhbz#1410612
+
+* Tue Feb 07 2017 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.7.0.131-2.6.9.0
+- Bump to 2.6.9 and u131b00.
+- Remove patch application debris in fsg.sh.
+- Re-generate PR2809 and RH1022017 against 2.6.9.
+- Update md5sum list with checksum for the new java.security file.
+- Resolves: rhbz#1410612
+
 * Mon Oct 31 2016 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.7.0.121-2.6.8.0
 - Turn off HotSpot bootstrap to see if it resolves build issues.
 - Resolves: rhbz#1381990