diff --git a/.gitignore b/.gitignore
index 75a0702..5f70416 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index a2cebb3..dd9d11c 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-097b9b3d7dc423db2c9a6ef554370fb77d614952 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz
+c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index ef9db68..e911b13 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,132 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u322 (2022-01-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u322
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt
+
+* Security fixes
+ - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
+ - JDK-8268488: More valuable DerValues
+ - JDK-8268494: Better inlining of inlined interfaces
+ - JDK-8268512: More content for ContentInfo
+ - JDK-8268795: Enhance digests of Jar files
+ - JDK-8268801: Improve PKCS attribute handling
+ - JDK-8268813, CVE-2022-21283: Better String matching
+ - JDK-8269151: Better construction of EncryptedPrivateKeyInfo
+ - JDK-8269944: Better HTTP transport redux
+ - JDK-8270392, CVE-2022-21293: Improve String constructions
+ - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
+ - JDK-8270492, CVE-2022-21282: Better resolution of URIs
+ - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
+ - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
+ - JDK-8271962: Better TrueType font loading
+ - JDK-8271968: Better canonical naming
+ - JDK-8271987: Manifest improved manifest entries
+ - JDK-8272014, CVE-2022-21305: Better array indexing
+ - JDK-8272026, CVE-2022-21340: Verify Jar Verification
+ - JDK-8272236, CVE-2022-21341: Improve serial forms for transport
+ - JDK-8272272: Enhance jcmd communication
+ - JDK-8272462: Enhance image handling
+ - JDK-8273290: Enhance sound handling
+ - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering
+ - JDK-8273756, CVE-2022-21360: Enhance BMP image support
+ - JDK-8273838, CVE-2022-21365: Enhanced BMP processing
+* Other changes
+ - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken
+ - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03
+ - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108
+ - JDK-8041928: MouseEvent.getModifiersEx gives wrong result
+ - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402
+ - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
+ - JDK-8048021: Remove @version tag in jaxp repo
+ - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage
+ - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java
+ - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile
+ - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS
+ - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure
+ - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade
+ - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank
+ - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated
+ - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind
+ - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator
+ - JDK-8148915: Intermittent failures of bug6400879.java
+ - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism
+ - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black
+ - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests
+ - JDK-8182036: Load from initializing arraycopy uses wrong memory state
+ - JDK-8183369: RFC unconformity of HttpURLConnection with proxy
+ - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
+ - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
+ - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
+ - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
+ - JDK-8190793: Httpserver does not detect truncated request body
+ - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail
+ - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit
+ - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing
+ - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
+ - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
+ - JDK-8225083: Remove Google certificate that is expiring in December 2021
+ - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread
+ - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software
+ - JDK-8231438: [macOS] Dark mode for the desktop is not supported
+ - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina
+ - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail
+ - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails
+ - JDK-8236897: Fix the copyright header for pkcs11gcm2.h
+ - JDK-8237499: JFR: Include stack trace in the ThreadStart event
+ - JDK-8239886: Minimal VM build fails after JDK-8237499
+ - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0
+ - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
+ - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
+ - JDK-8273308: PatternMatchTest.java fails on CI
+ - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
+ - JDK-8273826: Correct Manifest file name and NPE checks
+ - JDK-8273968: JCK javax_xml tests fail in CI
+ - JDK-8274407: (tz) Update Timezone Data to 2021c
+ - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
+ - JDK-8274468: TimeZoneTest.java fails with tzdata2021b
+ - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused
+ - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
+ - JDK-8275766: (tz) Update Timezone Data to 2021e
+ - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
+ - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8271434: Removed IdenTrust Root Certificate
+===============================================
+The following root certificate from IdenTrust has been removed from
+the `cacerts` keystore:
+
+Alias Name: identrustdstx3 [jdk]
+Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
+
+JDK-8272535: Removed Google's GlobalSign Root Certificate
+=========================================================
+The following root certificate from Google has been removed from the
+`cacerts` keystore:
+
+Alias Name: globalsignr2ca [jdk]
+Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
+
+core-libs/java.time:
+
+JDK-8274857: Update Timezone Data to 2021c
+===========================================
+IANA Time Zone Database, on which JDK's Date/Time libraries are based,
+has been updated to version 2021c
+(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
+that with this update, some of the time zone rules prior to the year
+1970 have been modified according to the changes which were introduced
+with 2021b. For more detail, refer to the announcement of 2021b
+(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
+
New in release OpenJDK 8u312 (2021-10-19):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
new file mode 100644
index 0000000..0ab462e
--- /dev/null
+++ b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
@@ -0,0 +1,23 @@
+# HG changeset patch
+# User zgu
+# Date 1641313782 0
+# Tue Jan 04 16:29:42 2022 +0000
+# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409
+# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7
+8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
+Reviewed-by: phh
+
+diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
+--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
+@@ -176,6 +176,10 @@
+
+ Thread* t = ThreadLocalStorage::get_thread_slow();
+
++ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away
++ // (no destructors can be run)
++ os::ThreadCrashProtection::check_crash_protection(sig, t);
++
+ SignalHandlerMark shm(t);
+
+ // Note: it's not uncommon that JNI code uses signal/sigset to install
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
new file mode 100644
index 0000000..5aa9ec7
--- /dev/null
+++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
@@ -0,0 +1,28 @@
+commit 06c2decab204fcce5aca2d285953fcac1820b1ae
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date: Mon Jan 24 01:23:28 2022 +0000
+
+ RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index 40ca609e02..0dafe6f59c 100644
+--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ import java.security.AccessController;
+@@ -255,6 +256,9 @@ public class SharedSecrets {
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
+ return javaSecuritySystemConfiguratorAccess;
+ }
+ }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
new file mode 100644
index 0000000..90cc44e
--- /dev/null
+++ b/SOURCES/rh2021263-fips_missing_native_returns.patch
@@ -0,0 +1,24 @@
+commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
+Author: Fridrich Strba <fstrba@suse.com>
+Date: Mon Jan 24 01:10:57 2022 +0000
+
+ RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 6f4656bfcb..34d0ff0ce9 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 1c14733..40fb8c9 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -70,8 +70,10 @@
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches}
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches %{arm} ppc s390 s390x
# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches}
+%global bootstrap_arches %{jit_arches} %{zero_arches}
# Set of architectures which support SystemTap tapsets
%global systemtap_arches %{jit_arches}
# Set of architectures which support the serviceability agent
@@ -124,9 +126,9 @@
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
%ifarch %{bootstrap_arches}
-%global bootstrap_build 1
+%global bootstrap_build true
%else
-%global bootstrap_build 1
+%global bootstrap_build false
%endif
%global bootstrap_targets images
@@ -263,9 +265,9 @@
%endif
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
-%global shenandoah_project aarch64-port
-%global shenandoah_repo jdk8u-shenandoah
-%global shenandoah_revision aarch64-shenandoah-jdk8u312-b07
+%global shenandoah_project openjdk
+%global shenandoah_repo shenandoah-jdk8u
+%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@@ -968,8 +970,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem
# Require zoneinfo data provided by tzdata-java subpackage.
-# 2021a required as of JDK-8260356 in April CPU
-Requires: tzdata-java >= 2021a
+# 2021e required as of JDK-8275766 in January 2022 CPU
+Requires: tzdata-java >= 2021e
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
@@ -1204,6 +1206,9 @@ Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
Patch1008: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
#############################################
#
@@ -1279,13 +1284,14 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
#############################################
#
-# Patches appearing in 8u282
+# Patches appearing in 8u332
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
+Patch700: jdk8279077-missing_crash_protector_ppc.patch
#############################################
#
@@ -1362,8 +1368,8 @@ BuildRequires: java-1.8.0-openjdk-devel
%ifnarch %{jit_arches}
BuildRequires: libffi-devel
%endif
-# 2021a required as of JDK-8260356 in April CPU
-BuildRequires: tzdata-java >= 2021a
+# 2021e required as of JDK-8275766 in January 2022 CPU
+BuildRequires: tzdata-java >= 2021e
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1696,6 +1702,9 @@ sh %{SOURCE12}
%patch580
%patch539
+# Upstreamed fixes
+%patch700
+
# RPM-only fixes
%patch600
%patch1000
@@ -1708,6 +1717,8 @@ sh %{SOURCE12}
%patch1007
%patch1008
%patch1011
+%patch1014
+%patch1015
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1916,19 +1927,23 @@ installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
# Debug builds don't need same targets as release for
-# build speed-up
-maketargets="%{release_targets}"
+# build speed-up. We also avoid bootstrapping these
+# slower builds.
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
+ run_bootstrap=false
+else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
fi
-%if %{bootstrap_build}
-buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
-buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
-%{!?with_artifacts:rm -rf ${bootinstalldir}}
-%else
-buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild}
-%endif
+if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+ buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ %{!?with_artifacts:rm -rf ${bootinstalldir}}
+else
+ buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild}
+fi
# Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
@@ -2450,6 +2465,30 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Related: rhbz#2039366
+
+* Fri Jan 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-1
+- Update to aarch64-shenandoah-jdk8u322-b06 (EA)
+- Update release notes for 8u322-b06.
+- Switch to GA mode for final release.
+- Require tzdata 2021e as of JDK-8275766.
+- Update tarball generation script to use git following shenandoah-jdk8u's move to github
+- Resolves: rhbz#2039366
+
+* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b04-0.2.ea
+- Add backport of JDK-8279077 to fix crash on ppc64
+- Resolves: rhbz#2030399
+
+* Mon Jan 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b04-0.1.ea
+- Update to aarch64-shenandoah-jdk8u322-b04 (EA)
+- Update release notes for 8u322-b04.
+- Require tzdata 2021c as of JDK-8274407.
+- Switch to EA mode.
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Related: rhbz#2039366
+
* Fri Oct 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-2
- Update to aarch64-shenandoah-jdk8u312-b07 (EA)
- Update release notes for 8u312-b07.