diff --git a/.gitignore b/.gitignore
index 6a0d95b..da0444d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@
 /jdk9-jdk9-jdk-9+181-CPU3.tar.xz
 /jdk9-jdk9-jdk-9+181-CPU4.tar.xz
 /jdk-updates-jdk9u-jdk-9.0.1+11.tar.xz
+/jdk-updates-jdk9u-jdk-9.0.4+11.tar.xz
diff --git a/java-9-openjdk.spec b/java-9-openjdk.spec
index 5fc8d10..c9acf6d 100644
--- a/java-9-openjdk.spec
+++ b/java-9-openjdk.spec
@@ -141,7 +141,7 @@
 
 # New Version-String scheme-style defines
 %global majorver 9
-%global securityver 1
+%global securityver 4
 
 # Standard JPackage naming and versioning defines.
 %global origin          openjdk
@@ -853,7 +853,7 @@ Provides: java-%{javaver}-%{origin}-accessiblity = %{epoch}:%{version}-%{release
 
 Name:    java-%{majorver}-%{origin}
 Version: %{newjavaver}.%{buildver}
-Release: 4%{?dist}
+Release: 1%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons,
 # and this change was brought into RHEL-4.  java-1.5.0-ibm packages
 # also included the epoch in their virtual provides.  This created a
@@ -872,7 +872,10 @@ License:  ASL 1.1 and ASL 2.0 and GPL+ and GPLv2 and GPLv2 with exceptions and L
 URL:      http://openjdk.java.net/
 
 # Source from upstrem OpenJDK9 project. To regenerate, use
-# ./generate_source_tarball.sh jdk9 jdk9 jdk9-%%{buildver}
+# PROJECT_NAME=jdk-updates REPO_NAME=jdk9u VERSION=jdk-%%{majorver}.%%{minorver}.%%{securityver}+%%{buildver} ./generate_source_tarball.sh
+#
+# Example:
+# PROJECT_NAME=jdk-updates REPO_NAME=jdk9u VERSION=jdk-9.0.4+11 ./generate_source_tarball.sh 
 Source0:  jdk-updates-jdk%{majorver}u-jdk-%{newjavaver}+%{buildver}.tar.xz
 
 # Custom README for -src subpackage
@@ -1819,6 +1822,9 @@ require "copy_jdk_configs.lua"
 
 
 %changelog
+* Wed Jan 17 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:9.0.4.11-1
+- Update to new upstream version 9.0.4+11 (January CPU)
+
 * Wed Nov 22 2017 jvanek <jvanek@redhat.com> - 1:9.0.1.11-4
 - added link to cacerts
 - unlike jdk8, cacert link is absolute link
diff --git a/pr2126-9.patch b/pr2126-9.patch
index 6a4a1eb..ec9ae29 100644
--- a/pr2126-9.patch
+++ b/pr2126-9.patch
@@ -1,6 +1,99 @@
-diff -r bd66ea2fdde3 src/java.base/share/classes/sun/security/util/CurveDB.java
---- openjdk/jdk/src/java.base/share/classes/sun/security/util/CurveDB.java	Thu Jul 27 18:04:48 2017 +0000
-+++ openjdk/jdk/src/java.base/share/classes/sun/security/util/CurveDB.java	Fri Oct 06 13:18:47 2017 +0200
+diff --git a/src/java.base/share/classes/sun/security/ssl/NamedGroup.java b/src/java.base/share/classes/sun/security/ssl/NamedGroup.java
+--- openjdk/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java
++++ openjdk/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java
+@@ -34,57 +34,6 @@
+     //
+     // See sun.security.util.CurveDB for the OIDs
+ 
+-    // NIST K-163
+-    SECT163_K1(1, NAMED_GROUP_ECDHE, "sect163k1", "1.3.132.0.1", true),
+-
+-    SECT163_R1(2, NAMED_GROUP_ECDHE, "sect163r1", "1.3.132.0.2", false),
+-
+-    // NIST B-163
+-    SECT163_R2(3, NAMED_GROUP_ECDHE, "sect163r2", "1.3.132.0.15", true),
+-
+-    SECT193_R1(4, NAMED_GROUP_ECDHE, "sect193r1", "1.3.132.0.24", false),
+-    SECT193_R2(5, NAMED_GROUP_ECDHE, "sect193r2", "1.3.132.0.25", false),
+-
+-    // NIST K-233
+-    SECT233_K1(6, NAMED_GROUP_ECDHE, "sect233k1", "1.3.132.0.26", true),
+-
+-    // NIST B-233
+-    SECT233_R1(7, NAMED_GROUP_ECDHE, "sect233r1", "1.3.132.0.27", true),
+-
+-    SECT239_K1(8, NAMED_GROUP_ECDHE, "sect239k1", "1.3.132.0.3", false),
+-
+-    // NIST K-283
+-    SECT283_K1(9, NAMED_GROUP_ECDHE, "sect283k1", "1.3.132.0.16", true),
+-
+-    // NIST B-283
+-    SECT283_R1(10, NAMED_GROUP_ECDHE, "sect283r1", "1.3.132.0.17", true),
+-
+-    // NIST K-409
+-    SECT409_K1(11, NAMED_GROUP_ECDHE, "sect409k1", "1.3.132.0.36", true),
+-
+-    // NIST B-409
+-    SECT409_R1(12, NAMED_GROUP_ECDHE, "sect409r1", "1.3.132.0.37", true),
+-
+-    // NIST K-571
+-    SECT571_K1(13, NAMED_GROUP_ECDHE, "sect571k1", "1.3.132.0.38", true),
+-
+-    // NIST B-571
+-    SECT571_R1(14, NAMED_GROUP_ECDHE, "sect571r1", "1.3.132.0.39", true),
+-
+-    SECP160_K1(15, NAMED_GROUP_ECDHE, "secp160k1", "1.3.132.0.9", false),
+-    SECP160_R1(16, NAMED_GROUP_ECDHE, "secp160r1", "1.3.132.0.8", false),
+-    SECP160_R2(17, NAMED_GROUP_ECDHE, "secp160r2", "1.3.132.0.30", false),
+-    SECP192_K1(18, NAMED_GROUP_ECDHE, "secp192k1", "1.3.132.0.31", false),
+-
+-    // NIST P-192
+-    SECP192_R1(19, NAMED_GROUP_ECDHE, "secp192r1", "1.2.840.10045.3.1.1", true),
+-
+-    SECP224_K1(20, NAMED_GROUP_ECDHE, "secp224k1", "1.3.132.0.32", false),
+-    // NIST P-224
+-    SECP224_R1(21, NAMED_GROUP_ECDHE, "secp224r1", "1.3.132.0.33", true),
+-
+-    SECP256_K1(22, NAMED_GROUP_ECDHE, "secp256k1", "1.3.132.0.10", false),
+-
+     // NIST P-256
+     SECP256_R1(23, NAMED_GROUP_ECDHE, "secp256r1", "1.2.840.10045.3.1.7", true),
+ 
+diff --git a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+--- openjdk/jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
++++ openjdk/jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+@@ -116,12 +116,6 @@
+                     NamedGroup.SECP256_R1,
+                     NamedGroup.SECP384_R1,
+                     NamedGroup.SECP521_R1,
+-                    NamedGroup.SECT283_K1,
+-                    NamedGroup.SECT283_R1,
+-                    NamedGroup.SECT409_K1,
+-                    NamedGroup.SECT409_R1,
+-                    NamedGroup.SECT571_K1,
+-                    NamedGroup.SECT571_R1,
+ 
+                     // FFDHE 2048
+                     NamedGroup.FFDHE_2048,
+@@ -136,15 +130,6 @@
+                     NamedGroup.SECP256_R1,
+                     NamedGroup.SECP384_R1,
+                     NamedGroup.SECP521_R1,
+-                    NamedGroup.SECT283_K1,
+-                    NamedGroup.SECT283_R1,
+-                    NamedGroup.SECT409_K1,
+-                    NamedGroup.SECT409_R1,
+-                    NamedGroup.SECT571_K1,
+-                    NamedGroup.SECT571_R1,
+-
+-                    // non-NIST curves
+-                    NamedGroup.SECP256_K1,
+ 
+                     // FFDHE 2048
+                     NamedGroup.FFDHE_2048,
+diff --git a/src/java.base/share/classes/sun/security/util/CurveDB.java b/src/java.base/share/classes/sun/security/util/CurveDB.java
+--- openjdk/jdk/src/java.base/share/classes/sun/security/util/CurveDB.java
++++ openjdk/jdk/src/java.base/share/classes/sun/security/util/CurveDB.java
 @@ -168,114 +168,6 @@
          Pattern nameSplitPattern = Pattern.compile(SPLIT_PATTERN);
  
@@ -552,9 +645,9 @@ diff -r bd66ea2fdde3 src/java.base/share/classes/sun/security/util/CurveDB.java
          specCollection = Collections.unmodifiableCollection(oidMap.values());
      }
  }
-diff -r bd66ea2fdde3 test/sun/security/ec/TestEC.java
---- openjdk/jdk/test/sun/security/ec/TestEC.java	Thu Jul 27 18:04:48 2017 +0000
-+++ openjdk/jdk/test/sun/security/ec/TestEC.java	Fri Oct 06 13:18:47 2017 +0200
+diff --git a/test/sun/security/ec/TestEC.java b/test/sun/security/ec/TestEC.java
+--- openjdk/jdk/test/sun/security/ec/TestEC.java
++++ openjdk/jdk/test/sun/security/ec/TestEC.java
 @@ -35,8 +35,8 @@
   * @library ../pkcs11/sslecc
   * @library ../../../java/security/testlibrary
@@ -567,8 +660,8 @@ diff -r bd66ea2fdde3 test/sun/security/ec/TestEC.java
  
  import java.security.NoSuchProviderException;
 diff -r bd66ea2fdde3 test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
---- openjdk/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Thu Jul 27 18:04:48 2017 +0000
-+++ openjdk/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Fri Oct 06 13:18:47 2017 +0200
+--- openjdk/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java       Thu Jul 27 18:04:48 2017 +0000
++++ openjdk/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java       Fri Oct 06 13:18:47 2017 +0200
 @@ -34,9 +34,9 @@
   * @library ..
   * @library ../../../../java/security/testlibrary
@@ -580,4 +673,3 @@ diff -r bd66ea2fdde3 test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
 + * @run main/othervm -Djdk.tls.namedGroups="secp256r1"
   *      ClientJSSEServerJSSE sm policy
   */
- 
diff --git a/removeSunEcProvider-RH1154143.patch b/removeSunEcProvider-RH1154143.patch
index 3cfb78c..b7dcc53 100644
--- a/removeSunEcProvider-RH1154143.patch
+++ b/removeSunEcProvider-RH1154143.patch
@@ -1,6 +1,6 @@
---- jdk9/jdk/src/java.base/share/conf/security/java.security
-+++ jdk9/jdk/src/java.base/share/conf/security/java.security
-@@ -67,7 +67,6 @@
+--- openjdk/jdk/src/java.base/share/conf/security/java.security.orig	2018-01-18 12:22:46.148339081 +0100
++++ openjdk/jdk/src/java.base/share/conf/security/java.security	2018-01-18 12:25:12.225469321 +0100
+@@ -66,7 +66,6 @@
  #endif
  security.provider.tbd=SUN
  security.provider.tbd=SunRsaSign
@@ -8,13 +8,12 @@
  security.provider.tbd=SunJSSE
  security.provider.tbd=SunJCE
  security.provider.tbd=SunJGSS
-@@ -676,7 +675,7 @@
+@@ -681,7 +680,7 @@
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
  jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
--    EC keySize < 224
-+    EC, ECDHE, ECDH
+-    EC keySize < 224, DES40_CBC, RC4_40
++    EC, ECDHE, ECDH, DES40_CBC, RC4_40
  
+ #
  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.
-
diff --git a/sources b/sources
index fe4a8ca..f7375cd 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (jdk-updates-jdk9u-jdk-9.0.1+11.tar.xz) = 561efb301f67a118018df57b312209cbe5d9a6088221a7a0a1d343e29af2437b81c4c22ae6cc2ebd22c2c569937e1df0ced4d46c8387b2f5b0d5f558e64be618
+SHA512 (jdk-updates-jdk9u-jdk-9.0.4+11.tar.xz) = 88e07166a2b0b447489b0b33ae45da1184f57ee8ca108e2b9d2d356e00003111512f5b7af2d364219c6478ecede9e8bd5f9ee51669e8a73a7572b5451d075634
 SHA512 (systemtap-tapset-3.6.0pre02.tar.xz) = 848f42ef7ca751e723fd50e3a6da14c0965ad4da37ea3331568658e27497b7a7e4b9aad3dedd264ad0bb5566c37a92302b905f10258a4e2c89dc4ba609e55481