import Oracle_OSS java-17-openjdk-17.0.19.0.10-2.0.1.el9

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-17.0.18+8.tar.xz
+SOURCES/openjdk-17.0.19+10.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-17-openjdk.metadata

@@ -1,2 +1,2 @@
-42959b06cbb8f537c9c4a6fca941685937df4d45 SOURCES/openjdk-17.0.18+8.tar.xz
+f916b36c6361b7ed8ffb814125292c307e84fce3 SOURCES/openjdk-17.0.19+10.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/fips-17u-62c0f885e30.patch

@@ -512,7 +512,7 @@ index db56dfcd505..07e34e95c05 100644
  
      protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen) {
 diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
-index a020e1c15d8..3c064965e82 100644
+index 33172288ba3..de1ee6fd7a1 100644
 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
 +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
 @@ -31,6 +31,7 @@ import java.security.SecureRandom;
@@ -534,10 +534,16 @@ index a020e1c15d8..3c064965e82 100644
      @java.io.Serial
      private static final long serialVersionUID = 6812507587804302833L;
  
-@@ -143,285 +148,287 @@ public final class SunJCE extends Provider {
+@@ -143,288 +148,290 @@ public final class SunJCE extends Provider {
      void putEntries() {
          // reuse attribute map and reset before each reuse
          HashMap<String, String> attrs = new HashMap<>(3);
+-        attrs.put("SupportedKeyClasses",
+-                "java.security.interfaces.RSAPublicKey" +
+-                "|java.security.interfaces.RSAPrivateKey");
+-        ps("Signature", "NONEwithRSA",
+-                "com.sun.crypto.provider.RSACipherAdaptor", null, attrs);
+-        // continue adding cipher specific attributes
 -        attrs.put("SupportedModes", "ECB");
 -        attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
 -                + "|OAEPWITHMD5ANDMGF1PADDING"
@@ -549,9 +555,6 @@ index a020e1c15d8..3c064965e82 100644
 -                + "|OAEPWITHSHA-512ANDMGF1PADDING"
 -                + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
 -                + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
--        attrs.put("SupportedKeyClasses",
--                "java.security.interfaces.RSAPublicKey" +
--                "|java.security.interfaces.RSAPrivateKey");
 -        ps("Cipher", "RSA",
 -                "com.sun.crypto.provider.RSACipher", null, attrs);
 -
@@ -818,6 +821,12 @@ index a020e1c15d8..3c064965e82 100644
 -                "com.sun.crypto.provider.DHKeyPairGenerator",
 -                null);
 +        if (!systemFipsEnabled) {
++            attrs.put("SupportedKeyClasses",
++                    "java.security.interfaces.RSAPublicKey" +
++                    "|java.security.interfaces.RSAPrivateKey");
++            ps("Signature", "NONEwithRSA",
++                    "com.sun.crypto.provider.RSACipherAdaptor", null, attrs);
++            // continue adding cipher specific attributes
 +            attrs.put("SupportedModes", "ECB");
 +            attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
 +                    + "|OAEPWITHMD5ANDMGF1PADDING"
@@ -829,9 +838,6 @@ index a020e1c15d8..3c064965e82 100644
 +                    + "|OAEPWITHSHA-512ANDMGF1PADDING"
 +                    + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
 +                    + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
-+            attrs.put("SupportedKeyClasses",
-+                    "java.security.interfaces.RSAPublicKey" +
-+                    "|java.security.interfaces.RSAPrivateKey");
 +            ps("Cipher", "RSA",
 +                    "com.sun.crypto.provider.RSACipher", null, attrs);
 +
@@ -1101,7 +1107,7 @@ index a020e1c15d8..3c064965e82 100644
  
          /*
           * Algorithm parameter generation engines
-@@ -430,15 +437,17 @@ public final class SunJCE extends Provider {
+@@ -433,15 +440,17 @@ public final class SunJCE extends Provider {
                  "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
                  null);
  
@@ -1128,7 +1134,7 @@ index a020e1c15d8..3c064965e82 100644
  
          /*
           * Algorithm Parameter engines
-@@ -610,118 +619,120 @@ public final class SunJCE extends Provider {
+@@ -613,118 +622,120 @@ public final class SunJCE extends Provider {
          ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
                  "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
  
@@ -1798,7 +1804,7 @@ index ea28bb8747e..77161eb3844 100644
 +    }
  }
 diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index fad70bdc058..29a813a485f 100644
+index 8f1ecae3ed1..044056c7bc8 100644
 --- a/src/java.base/share/classes/module-info.java
 +++ b/src/java.base/share/classes/module-info.java
 @@ -152,6 +152,8 @@ module java.base {
@@ -2508,7 +2514,7 @@ index 00000000000..dc8bc72fccb
 +    }
 +}
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index e26b7f8c394..08effe23fce 100644
+index cd6407ceffc..2c14cf189a1 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
 @@ -82,6 +82,17 @@ security.provider.tbd=Apple
@@ -2593,7 +2599,7 @@ index e26b7f8c394..08effe23fce 100644
  # the javax.net.ssl package.
 diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
 new file mode 100644
-index 00000000000..55bbba98b7a
+index 00000000000..6de716e6b42
 --- /dev/null
 +++ b/src/java.base/share/conf/security/nss.fips.cfg.in
 @@ -0,0 +1,8 @@
@@ -2603,13 +2609,13 @@ index 00000000000..55bbba98b7a
 +nssDbMode = readWrite
 +nssModule = fips
 +
-+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
++attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
 +
 diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
-index 4e3c326cb2f..c39faee2f43 100644
+index 9bd5dd53bd3..d1eba14c252 100644
 --- a/src/java.base/share/lib/security/default.policy
 +++ b/src/java.base/share/lib/security/default.policy
-@@ -123,6 +123,7 @@ grant codeBase "jrt:/jdk.charsets" {
+@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.charsets" {
  grant codeBase "jrt:/jdk.crypto.ec" {
      permission java.lang.RuntimePermission
                     "accessClassInPackage.sun.security.*";
@@ -2617,7 +2623,7 @@ index 4e3c326cb2f..c39faee2f43 100644
      permission java.lang.RuntimePermission "loadLibrary.sunec";
      permission java.security.SecurityPermission "putProviderProperty.SunEC";
      permission java.security.SecurityPermission "clearProviderProperties.SunEC";
-@@ -132,6 +133,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+@@ -133,6 +134,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
  grant codeBase "jrt:/jdk.crypto.cryptoki" {
      permission java.lang.RuntimePermission
                     "accessClassInPackage.com.sun.crypto.provider";
@@ -2625,7 +2631,7 @@ index 4e3c326cb2f..c39faee2f43 100644
      permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
      permission java.lang.RuntimePermission
                     "accessClassInPackage.sun.security.*";
-@@ -142,6 +144,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+@@ -143,6 +145,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
      permission java.util.PropertyPermission "os.name", "read";
      permission java.util.PropertyPermission "os.arch", "read";
      permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
@@ -3496,7 +3502,7 @@ index 00000000000..f8d505ca815
 +}
 \ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index e05892e2c22..cb40c3bf794 100644
+index 006aa67f621..fd86a52e65c 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 @@ -37,6 +37,8 @@ import javax.crypto.*;
@@ -4072,7 +4078,7 @@ index cabee449346..72b64f72c0a 100644
          // empty
      }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 00fbbcfe07c..b5a30c6da4e 100644
+index 19f89ad5f38..a55c890b93d 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 @@ -26,6 +26,9 @@
@@ -4411,7 +4417,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644
          d(SIG, "RawDSA",        P11Signature,
                  List.of("NONEwithDSA"),
                  m(CKM_DSA));
-@@ -1120,9 +1332,21 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1122,9 +1334,21 @@ public final class SunPKCS11 extends AuthProvider {
                  continue;
              }
              boolean allowLegacy = config.getAllowLegacy();
@@ -4433,7 +4439,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644
  
                      // assume full support if no mech info available
                      if (!allowLegacy && mechInfo != null) {
-@@ -1211,11 +1435,52 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1213,11 +1437,52 @@ public final class SunPKCS11 extends AuthProvider {
          }
  
          @Override
@@ -4486,7 +4492,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644
              try {
                  return newInstance0(param);
              } catch (PKCS11Exception e) {
-@@ -1235,6 +1500,8 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1237,6 +1502,8 @@ public final class SunPKCS11 extends AuthProvider {
                  } else if (algorithm.endsWith("GCM/NoPadding") ||
                             algorithm.startsWith("ChaCha20-Poly1305")) {
                      return new P11AEADCipher(token, algorithm, mechanism);
@@ -4495,7 +4501,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644
                  } else {
                      return new P11Cipher(token, algorithm, mechanism);
                  }
-@@ -1570,6 +1837,9 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1574,6 +1841,9 @@ public final class SunPKCS11 extends AuthProvider {
          try {
              session = token.getOpSession();
              p11.C_Logout(session.id());
@@ -5266,10 +5272,10 @@ index 0d65ee26805..38fd4aff1f3 100644
 +                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
  }
 diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index 3ea91a6cfd1..26309f4f7b2 100644
+index 376fd999261..d2b2b2e8013 100644
 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
 +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-@@ -1518,6 +1518,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+@@ -1517,6 +1517,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
          case CKM_PBE_SHA1_DES3_EDE_CBC:
          case CKM_PBE_SHA1_DES2_EDE_CBC:
          case CKM_PBA_SHA1_WITH_SHA1_HMAC:
@@ -5280,7 +5286,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
              ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
              break;
          case CKM_PKCS5_PBKD2:
-@@ -1661,13 +1665,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+@@ -1660,13 +1664,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
      // retrieve java values
      jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
      if (jPbeParamsClass == NULL) { return NULL; }
@@ -5296,7 +5302,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      if (fieldID == NULL) { return NULL; }
      jSalt = (*env)->GetObjectField(env, jParam, fieldID);
      fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-@@ -1683,15 +1687,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+@@ -1682,15 +1686,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
  
      // populate using java values
      ckParamPtr->ulIteration = jLongToCKULong(jIteration);
@@ -5315,7 +5321,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      if ((*env)->ExceptionCheck(env)) {
          goto cleanup;
      }
-@@ -1770,31 +1774,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+@@ -1769,31 +1773,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
      }
  }
  
@@ -5384,7 +5390,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
      if (fieldID == NULL) { return NULL; }
      jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
-@@ -1810,36 +1842,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+@@ -1809,36 +1841,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
      fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
      if (fieldID == NULL) { return NULL; }
      jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
@@ -5458,7 +5464,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      return NULL;
  
 diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-index 84edb3c5105..0f49657ada1 100644
+index 537bab224a0..3fd23558d3b 100644
 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
 +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
 @@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {

SOURCES/java-17-openjdk-portable.specfile

@@ -315,7 +315,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 18
+%global updatever 19
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -365,7 +365,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver df4c415ac9a
+%global fipsver 62c0f885e30
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 %global javaver         %{featurever}
@@ -379,7 +379,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 8
+%global buildver 10
 %global rpmrelease 1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -662,6 +662,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
 # RH1940064: Enable XML Signature provider in FIPS mode (#24)
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
+# OPENJDK-4398: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY (#44)
 Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
@@ -752,19 +753,19 @@ BuildRequires: libpng-devel
 BuildRequires: zlib-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.13.3
+Provides: bundled(freetype) = 2.14.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.2
+Provides: bundled(giflib) = 6.1.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 11.2.0
+Provides: bundled(harfbuzz) = 12.3.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.51
+Provides: bundled(libpng) = 1.6.57
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
-Provides: bundled(zlib) = 1.3.1
+Provides: bundled(zlib) = 1.3.2
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
 %endif
@@ -1590,6 +1591,11 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
 $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
 %endif
 
+# Check blocked.certs is valid (OPENJDK-4362)
+jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java
+jtreg_dir=$(dirname ${jtreg_test})
+$JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test}
+
 # Check src.zip has all sources. See RHBZ#1130490
 unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
 
@@ -1832,6 +1838,37 @@ done
 %endif
 
 %changelog
+* Fri Apr 17 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.19.0.10-1
+- Set fipsver to 62c0f885e30
+
+* Thu Apr 16 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.19.0.10-1
+- Update to jdk-17.0.19+10 (GA)
+- Add to .gitignore openjdk-17.0.19+10.tar.xz
+- Set updatever to 19
+- Set buildver to 10
+- Set rpmrelease to 1
+- Update sources to openjdk-17.0.19+10.tar.xz
+- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. **
+- Set bundled freetype library version to 2.14.2
+- Set bundled giflib library version to 6.1.2
+- Set bundled harfbuzz library version to 12.3.2
+- Set bundled libpng library version to 1.6.57
+- Set bundled zlib library version to 1.3.2
+- Update NEWS for jdk-17.0.19+10 (GA)
+
+* Wed Feb 11 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.18.0.8-2
+- Add test to ensure blocked.certs is valid (OPENJDK-4362)
+- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh
+- Add gating scripts to simplify obtaining results and waiving issues
+- Remove 8.2.0-z from tag_rhel_8_public.sh and tag_rhel_8_embargoed.sh
+- Resolves: RHEL-149327
+- Related: RHEL-151197
+
+* Wed Feb 11 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-2
+- Set rpmrelease to 2
+- Set fipsver to e1780dd5d39
+- Resolves: RHEL-122136
+
 * Fri Jan 16 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-1
 - Update to jdk-17.0.18+8 (GA)
 - Add to .gitignore openjdk-17.0.18+8.tar.xz
@@ -1848,7 +1885,10 @@ done
 - Set buildver to 7
 - Set is_ga to 0
 - Update sources to openjdk-17.0.18+7-ea.tar.xz
+- Resolves: RHEL-139552
 - Set bundled libpng version to 1.6.51
+- Resolves: RHEL-131590
+- Resolves: RHEL-131601
 - Adjust attributes in nss.fips.cfg.in in fips-17u-df4c415ac9a.patch
 - Related: OPENJDK-4013
 - Related: RHEL-122136

SPECS/java-17-openjdk.spec

@@ -328,7 +328,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 18
+%global updatever 19
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -359,16 +359,20 @@
 %if 0%{?rhel}
 %global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
+%if 0%{oraclelinux}
+%global oj_vendor_bug_url  https://github.com/oracle/oracle-linux
+%else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
 %endif
 %endif
+%endif
 %global oj_vendor_version (Red_Hat-%{version}-%{portablerelease})
 
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver df4c415ac9a
+%global fipsver 62c0f885e30
 %global javaver         %{featurever}
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 
@@ -383,16 +387,12 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 8
-%global rpmrelease 1
+%global buildver 10
+%global rpmrelease 2.0.1
 # Settings used by the portable build
-%global portablerelease 1
+%global portablerelease 1.0.1
 # Portable suffix differs between RHEL and CentOS
-%if 0%{?centos} == 0
 %global portablesuffix el8
-%else
-%global portablesuffix el9
-%endif
 %global portablebuilddir /builddir/build/BUILD
 
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -1137,8 +1137,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2025b required as of JDK-8352716
-Requires: tzdata-java >= 2025b
+# 2026a required as of JDK-8379035
+Requires: tzdata-java >= 2026a
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1335,6 +1335,7 @@ Source18: TestTranslations.java
 # Include portable spec and instructions on how to rebuild
 Source19: README.md
 Source20: java-%{featurever}-openjdk-portable.specfile
+Source21: NEWS
 
 # Setup variables to reference correct sources
 %global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
@@ -1404,6 +1405,7 @@ Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
 # RH1940064: Enable XML Signature provider in FIPS mode (#24)
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
+# OPENJDK-4398: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY (#44)
 Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
@@ -1468,8 +1470,8 @@ BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2025b required as of JDK-8352716
-BuildRequires: tzdata-java >= 2025b
+# 2026a required as of JDK-8379035
+BuildRequires: tzdata-java >= 2026a
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1488,19 +1490,19 @@ BuildRequires: libpng-devel
 BuildRequires: zlib-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.13.3
+Provides: bundled(freetype) = 2.14.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.2
+Provides: bundled(giflib) = 6.1.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 11.2.0
+Provides: bundled(harfbuzz) = 12.3.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.51
+Provides: bundled(libpng) = 1.6.57
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
-Provides: bundled(zlib) = 1.3.1
+Provides: bundled(zlib) = 1.3.2
 %endif
 
 # this is always built, also during debug-only build
@@ -2510,6 +2512,58 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Fri Apr 24 2026 Darren Archibald <darren.archibald@oracle.com> - 1:17.0.19.0.10-2.0.1
+- Add Oracle vendor bug URL [Orabug: 34340155]
+
+* Mon Apr 20 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.19.0.10-2
+- Set rpmrelease to 2 for PQC signing
+
+* Thu Apr 16 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.19.0.10-1
+- Update to jdk-17.0.19+10 (GA)
+- Add to .gitignore openjdk-17.0.19+10.tar.xz
+- Set updatever to 19
+- Set buildver to 10
+- Set rpmrelease to 1
+- Update sources to openjdk-17.0.19+10.tar.xz
+- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. **
+- Set tzdata requires and build requires to 2026a
+- Set bundled freetype library version to 2.14.2
+- Set bundled giflib library version to 6.1.2
+- Set bundled harfbuzz library version to 12.3.2
+- Set bundled libpng library version to 1.6.57
+- Set bundled zlib library version to 1.3.2
+- Set fipsver to 62c0f885e30
+- Sync NEWS from openjdk-portable-rhel-8
+- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
+- Set portablerelease to 1
+- Resolves: RHEL-133292
+- Resolves: RHEL-147350
+- Resolves: RHEL-148408
+- Resolves: RHEL-148987
+- Resolves: RHEL-161296
+- Resolves: RHEL-161445
+- Resolves: RHEL-157135
+
+* Thu Feb 12 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-2
+- Set portablerelease to 2
+- Remove test to ensure blocked.certs is valid, done in portable
+- Related: RHEL-122136
+- Related: RHEL-131590
+- Related: RHEL-131601
+- Related: RHEL-139552
+- Related: RHEL-149327
+
+* Wed Feb 11 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.18.0.8-2
+- Add test to ensure blocked.certs is valid (OPENJDK-4362)
+- Restore NEWS file so portable can be rebuilt
+- Resolves: RHEL-149327
+
+* Wed Feb 11 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-2
+- Set rpmrelease to 2
+- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9
+- Set fipsver to e1780dd5d39
+- Resolves: RHEL-122136
+
 * Fri Jan 16 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-1
 - Update to jdk-17.0.18+8 (GA)
 - Add to .gitignore openjdk-17.0.18+8.tar.xz
@@ -2517,6 +2571,7 @@ cjc.mainProgram(args)
 - Set buildver to 8
 - Set is_ga to 1
 - Update sources to openjdk-17.0.18+8.tar.xz
+- Resolves: RHEL-139552
 - ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
 
 * Thu Jan 15 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.7-0.1.ea
@@ -2527,6 +2582,8 @@ cjc.mainProgram(args)
 - Set is_ga to 0
 - Update sources to openjdk-17.0.18+7-ea.tar.xz
 - Set bundled libpng version to 1.6.51
+- Resolves: RHEL-131590
+- Resolves: RHEL-131601
 - Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
 
 * Thu Oct 16 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.17.0.10-1