From be56a438fe95250ca9c7d29efc599c6f907ca09d Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Thu, 16 Apr 2026 20:01:50 -0400 Subject: [PATCH] Update to jdk-17.0.19+10 (GA) - Update to jdk-17.0.19+10 (GA) - Add to .gitignore openjdk-17.0.19+10.tar.xz - Set updatever to 19 - Set buildver to 10 - Set rpmrelease to 1 - Update sources to openjdk-17.0.19+10.tar.xz - ** This tarball is embargoed until 2026-04-21 @ 1pm PT. ** - Set tzdata requires and build requires to 2026a - Set bundled freetype library version to 2.14.2 - Set bundled giflib library version to 6.1.2 - Set bundled harfbuzz library version to 12.3.2 - Set bundled libpng library version to 1.6.57 - Set bundled zlib library version to 1.3.2 - Set fipsver to e1780dd5d39 - Set fipsver to 62c0f885e30 - Sync NEWS from openjdk-portable-rhel-8 - Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 - Resolves: RHEL-133292 - Resolves: RHEL-147350 - Resolves: RHEL-148408 - Resolves: RHEL-148987 - Resolves: RHEL-161296 - Resolves: RHEL-161445 - Resolves: RHEL-157135 --- .gitignore | 1 + NEWS | 204 ++++++++++++++++++ ...dd5d39.patch => fips-17u-62c0f885e30.patch | 40 ++-- java-17-openjdk-portable.specfile | 44 +++- java-17-openjdk.spec | 51 +++-- sources | 2 +- 6 files changed, 302 insertions(+), 40 deletions(-) rename fips-17u-e1780dd5d39.patch => fips-17u-62c0f885e30.patch (99%) diff --git a/.gitignore b/.gitignore index 2dff274..f8565d8 100644 --- a/.gitignore +++ b/.gitignore @@ -80,3 +80,4 @@ /openjdk-17.0.17+10.tar.xz /openjdk-17.0.18+7-ea.tar.xz /openjdk-17.0.18+8.tar.xz +/openjdk-17.0.19+10.tar.xz diff --git a/NEWS b/NEWS index 52c9a4f..afe070b 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,210 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.19 (2026-04-21): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17019 + +* Changes + - JDK-6899304: java.awt.Toolkit.getScreenInsets(GraphicsConfiguration) returns incorrect values + - JDK-7036144: GZIPInputStream readTrailer uses faulty available() test for end-of-stream + - JDK-8030957: AIX: Implement OperatingSystemMXBean.getSystemCpuLoad() and .getProcessCpuLoad() on AIX + - JDK-8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails + - JDK-8244336: Restrict algorithms at JCE layer + - JDK-8244400: MenuItem may cache the size and did not update it when the screen DPI is changed + - JDK-8256289: java/awt/Focus/AppletInitialFocusTest/AppletInitialFocusTest1.java failed with "RuntimeException: Wrong focus owner: java.awt.Button[button1,41,36,56x23,label=Button1]" + - JDK-8271396: Spelling errors + - JDK-8275405: Linking error for classes with lambda template parameters and virtual functions + - JDK-8282484: G1: Predicted old time in log always zero + - JDK-8283784: java_lang_String::as_platform_dependent_str stores to oop in native state + - JDK-8288556: VM crashes if it gets sent SIGUSR2 from outside + - JDK-8301875: java.util.TimeZone.getSystemTimeZoneID uses C library default file mode + - JDK-8303475: potential null pointer dereference in filemap.cpp + - JDK-8309667: TLS handshake fails because of ConcurrentModificationException in PKCS12KeyStore.engineGetEntry + - JDK-8311644: Server should not send bad_certificate alert when the client does not send any certificates + - JDK-8314555: Build with mawk fails on Windows + - JDK-8317633: Modernize text.testlib.HexDumpReader + - JDK-8326705: Test CertMsgCheck.java fails to find alert certificate_required + - JDK-8328608: Multiple NewSessionTicket support for TLS + - JDK-8329258: TailCall should not use frame pointer register for jump target + - JDK-8330016: Stress seed should be initialized for runtime stub compilation + - JDK-8331431: Update to use jtreg 7.4 + - JDK-8333386: TestAbortOnVMOperationTimeout test fails for client VM + - JDK-8334670: SSLSocketOutputRecord buffer miscalculation + - JDK-8336695: Update Commons BCEL to Version 6.10.0 + - JDK-8337102: JITTester: Fix breaks in static initialization blocks + - JDK-8337681: PNGImageWriter uses much more memory than necessary + - JDK-8337795: Type annotation attached to incorrect type during class reading + - JDK-8337998: CompletionFailure in getEnclosingType attaching type annotations + - JDK-8339271: giflib attribution correction + - JDK-8339791: Refactor MiscUndecorated/ActiveAWTWindowTest.java + - JDK-8340024: In ClassReader, extract a constant for the superclass supertype_index + - JDK-8341779: [REDO BACKPORT] type annotations are not visible to javac plugins across compilation boundaries (JDK-8225377) + - JDK-8342175: MemoryEaterMT fails intermittently with ExceptionInInitializerError + - JDK-8343622: AesDkCrypto.stringToKey should not return null + - JDK-8345578: New test in JDK-8343622 fails with a promoted build + - JDK-8346048: test/lib/containers/docker/DockerRunOptions.java uses addJavaOpts() from ctor + - JDK-8346962: Test CRLReadTimeout.java fails with -Xcomp on a fastdebug build + - JDK-8347475: GTK: javax/swing/JColorChooser/Test8152419.java there are no swatches or RGB tab in JColorChooser + - JDK-8348014: Enhance certificate processing + - JDK-8349351: Combine Screen Inset Tests into a Single File + - JDK-8351359: OperatingSystemMXBean: values from getCpuLoad and getProcessCpuLoad are stale after 24.8 days (Windows) + - JDK-8351639: Improve debuggability of test/langtools/jdk/jshell/JdiHangingListenExecutionControlTest.java test + - JDK-8353755: Add a helper method to Util - findComponent() + - JDK-8354219: Automate javax/swing/JComboBox/ComboPopupBug.java + - JDK-8354893: [REDO BACKPORT] javac crashes while adding type annotations to the return type of a constructor (JDK-8320001) + - JDK-8355278: Improve debuggability of com/sun/jndi/ldap/LdapPoolTimeoutTest.java test + - JDK-8355632: WhiteBox.waitForReferenceProcessing() fails assert for return type + - JDK-8357277: Update OpenSSL library for interop tests + - JDK-8360406: [21u] Disable logic for attaching type annotations to class files until 8359336 is fixed + - JDK-8360539: DTLS handshakes fails due to improper cookie validation logic + - JDK-8361067: Test ExtraButtonDrag.java requires frame.dispose in finally block + - JDK-8361117: SIGSEGV in LShiftLNode::Ideal due to unexpected dead node + - JDK-8361530: Test javax/swing/GraphicsConfigNotifier/StalePreferredSize.java timed out + - JDK-8363950: Incorrect jtreg header in TestLayoutVsICU.java + - JDK-8364373: Transform Affine transformations + - JDK-8364465: Enhance behavior of some intrinsics + - JDK-8366694: Test JdbStopInNotificationThreadTest.java timed out after 60 second + - JDK-8366817: test/jdk/javax/net/ssl/TLSCommon/interop/JdkProcServer.java and JdkProcClient.java should not delete logs + - JDK-8366850: Test com/sun/jdi/JdbStopInNotificationThreadTest.java failed + - JDK-8366866: SslRMIClientSocketFactory#createSocket lacking priviledges (securitymanger) + - JDK-8366938: Test runtime/handshake/HandshakeTimeoutTest.java crashed + - JDK-8367135: Test compiler/loopstripmining/CheckLoopStripMining.java needs internal timeouts adjusted + - JDK-8367904: Test java/net/InetAddress/ptr/Lookup.java should throw SkippedException + - JDK-8368787: Error reporting: hs_err files should show instructions when referencing code in nmethods + - JDK-8368882: NPE during text drawing on machine with JP locale + - JDK-8368960: Adjust java UL logging in the build + - JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA + - JDK-8369563: Gtest dll_address_to_function_and_library_name has issues with stripped pdb files + - JDK-8369575: Enhance crypto algorithm support + - JDK-8370529: Enhance Path Factories Redux + - JDK-8370579: PPC: fix inswri immediate argument order + - JDK-8370615: Improve Kerberos credentialing + - JDK-8370986: Enhance Zip file reading + - JDK-8370995: Enhance ZipFile usage + - JDK-8371103: vmTestbase/nsk/jvmti/scenarios/events/EM02/em02t006/TestDescription.java failing + - JDK-8371559: Intermittent timeouts in test javax/net/ssl/Stapling/HttpsUrlConnClient.java + - JDK-8371830: Enhance certificate chain validation + - JDK-8371935: Enhance key generation + - JDK-8371978: tools/jar/ReproducibleJar.java fails on XFS + - JDK-8372048: Performance improvement on Linux remote desktop + - JDK-8372465: Bump update version for OpenJDK: jdk-17.0.19 + - JDK-8372756: Mouse additional buttons and horizontal scrolling are broken on XWayland GNOME >= 47 after JDK-8351907 + - JDK-8372857: Improve debuggability of java/rmi/server/RemoteServer/AddrInUse.java test + - JDK-8372977: Unnecessary gthread-2.0 loading + - JDK-8373290: Update FreeType to 2.14.1 + - JDK-8373476: (tz) Update Timezone Data to 2025c + - JDK-8373727: New XBM images parser regression: only the first line of the bitmap array is parsed + - JDK-8374056: RISC-V: Fix argument passing for the RiscvFlushIcache::flush + - JDK-8374209: [17u,21u] Backout JDK-8361748 due to JDK-8373727 + - JDK-8374557: Enhance TLS connection handling + - JDK-8374642: EscapeHash macro fails with GNU make 4.3 and 4.4 + - JDK-8375057: Update HarfBuzz to 12.3.2 + - JDK-8375063: Update Libpng to 1.6.54 + - JDK-8375530: PPC64: incorrect quick verify_method_data_pointer check causes poor performance in debug build + - JDK-8375549: ConcurrentModificationException if jdk.crypto.disabledAlgorithms has multiple entries with known oid + - JDK-8376251: [macos] java/awt/Frame/I18NTitle.java fails on MacOS (JDK-8355884) + - JDK-8376270: [21u, 17u] Redo JDK-8361748: Enforce limits on the size of an XBM image + - JDK-8377509: Add licenses for gcc 14.2.0 + - JDK-8377526: Update Libpng to 1.6.55 + - JDK-8377905: gcc.md included with every build + - JDK-8378218: MSYS2 reports cygwin triplet causing bash configure failure + - JDK-8378631: Update Zlib Data Compression Library to Version 1.3.2 + - JDK-8378823: AIX build fails after zlib updated by JDK-8378631 + - JDK-8379035: (tz) Update Timezone Data to 2026a + - JDK-8379158: Update FreeType to 2.14.2 + - JDK-8379256: Update GIFlib to 6.1.1 + - JDK-8380078: Update GIFlib to 6.1.2 + - JDK-8380959: Update Libpng to 1.6.56 + - JDK-8382047: Update Libpng to 1.6.57 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8341779: Type annotations are not visible to javac plugins across compilation boundaries +============================================================================================ +`TypeMirror` now provides access to annotations for types loaded from +bytecode. Programs that relied on annotations not being present in +loaded bytecode need to be updated to handle them. + +core-libs/java.util.jar: + +JDK-7036144: GZIPInputStream readTrailer uses faulty available() test for end-of-stream +======================================================================================= +`GZipInputStream`'s `read` methods will now check for a GZIP stream +header in additional data in the internal `InputStream`, instead of +using InputStream.available(). + +security-libs/javax.net.ssl: + +JDK-8328608: Multiple NewSessionTicket support for TLS +====================================================== +This JDK version introduces a new system property, +`jdk.tls.server.newSessionTicketCount`. It can be used to set the +number of TLSv1.3 resumption tickets sent per session by a JSSE +server. The default is 1 and the valid range is [0, 10]. + +See also "Customizing JSSE" at +https://docs.oracle.com/en/java/javase/24/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9 + +JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA +=============================================================================== +In accordance with similar plans recently announced by Google and +Mozilla, the JDK will not trust Transport Layer Security (TLS) +certificates issued after the 17th of March 2026 which are anchored by +Chungwa root certificates. + +Certificates issued on or before the 17th of March, 2026 will continue +to be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2026-03-17 and anchored by a +distrusted legacy Chungwa root CA: OU=ePKI Root Certification +Authority, O="Chunghwa Telecom Co.", Ltd. C=TW" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Chungwa root certificates +included in the JDK: + +Alias name: chunghwaepkirootca +OU=ePKI Root Certification Authority +O="Chunghwa Telecom Co., Ltd." +C=TW +SHA256:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "CHUNGWA_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +security-libs/java.security: + +JDK-8244336: Restrict algorithms at JCE layer +============================================= +The `java.security` file defines a new security property, +`jdk.crypto.disabledAlgorithms` that can be used to disable JCE/JCA +cryptographic services algorithms. For now, no algorithms are disabled +by default. Applications can set a system property of the same name to +override security property's value. + +See also "Disabled and Restricted Cryptographic Algorithms" at +https://docs.oracle.com/en/java/javase/26/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-0A438179-32A7-4900-A81C-29E3073E1E90 + New in release OpenJDK 17.0.18 (2026-01-20): ============================================ Live versions of these release notes can be found at: diff --git a/fips-17u-e1780dd5d39.patch b/fips-17u-62c0f885e30.patch similarity index 99% rename from fips-17u-e1780dd5d39.patch rename to fips-17u-62c0f885e30.patch index ebb9723..84e87d3 100644 --- a/fips-17u-e1780dd5d39.patch +++ b/fips-17u-62c0f885e30.patch @@ -512,7 +512,7 @@ index db56dfcd505..07e34e95c05 100644 protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen) { diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index a020e1c15d8..3c064965e82 100644 +index 33172288ba3..de1ee6fd7a1 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -31,6 +31,7 @@ import java.security.SecureRandom; @@ -534,10 +534,16 @@ index a020e1c15d8..3c064965e82 100644 @java.io.Serial private static final long serialVersionUID = 6812507587804302833L; -@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { +@@ -143,288 +148,290 @@ public final class SunJCE extends Provider { void putEntries() { // reuse attribute map and reset before each reuse HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Signature", "NONEwithRSA", +- "com.sun.crypto.provider.RSACipherAdaptor", null, attrs); +- // continue adding cipher specific attributes - attrs.put("SupportedModes", "ECB"); - attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" - + "|OAEPWITHMD5ANDMGF1PADDING" @@ -549,9 +555,6 @@ index a020e1c15d8..3c064965e82 100644 - + "|OAEPWITHSHA-512ANDMGF1PADDING" - + "|OAEPWITHSHA-512/224ANDMGF1PADDING" - + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); - ps("Cipher", "RSA", - "com.sun.crypto.provider.RSACipher", null, attrs); - @@ -818,6 +821,12 @@ index a020e1c15d8..3c064965e82 100644 - "com.sun.crypto.provider.DHKeyPairGenerator", - null); + if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Signature", "NONEwithRSA", ++ "com.sun.crypto.provider.RSACipherAdaptor", null, attrs); ++ // continue adding cipher specific attributes + attrs.put("SupportedModes", "ECB"); + attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" + + "|OAEPWITHMD5ANDMGF1PADDING" @@ -829,9 +838,6 @@ index a020e1c15d8..3c064965e82 100644 + + "|OAEPWITHSHA-512ANDMGF1PADDING" + + "|OAEPWITHSHA-512/224ANDMGF1PADDING" + + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); + ps("Cipher", "RSA", + "com.sun.crypto.provider.RSACipher", null, attrs); + @@ -1101,7 +1107,7 @@ index a020e1c15d8..3c064965e82 100644 /* * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { +@@ -433,15 +440,17 @@ public final class SunJCE extends Provider { "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", null); @@ -1128,7 +1134,7 @@ index a020e1c15d8..3c064965e82 100644 /* * Algorithm Parameter engines -@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { +@@ -613,118 +622,120 @@ public final class SunJCE extends Provider { ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); @@ -2508,7 +2514,7 @@ index 00000000000..dc8bc72fccb + } +} diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 50944836820..9391ad0d798 100644 +index cd6407ceffc..2c14cf189a1 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -82,6 +82,17 @@ security.provider.tbd=Apple @@ -2603,7 +2609,7 @@ index 00000000000..6de716e6b42 +nssDbMode = readWrite +nssModule = fips + -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true } + diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy index 9bd5dd53bd3..d1eba14c252 100644 @@ -4072,7 +4078,7 @@ index cabee449346..72b64f72c0a 100644 // empty } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 00fbbcfe07c..b5a30c6da4e 100644 +index 19f89ad5f38..a55c890b93d 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -4411,7 +4417,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644 d(SIG, "RawDSA", P11Signature, List.of("NONEwithDSA"), m(CKM_DSA)); -@@ -1120,9 +1332,21 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1122,9 +1334,21 @@ public final class SunPKCS11 extends AuthProvider { continue; } boolean allowLegacy = config.getAllowLegacy(); @@ -4433,7 +4439,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644 // assume full support if no mech info available if (!allowLegacy && mechInfo != null) { -@@ -1211,11 +1435,52 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1213,11 +1437,52 @@ public final class SunPKCS11 extends AuthProvider { } @Override @@ -4486,7 +4492,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644 try { return newInstance0(param); } catch (PKCS11Exception e) { -@@ -1235,6 +1500,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1237,6 +1502,8 @@ public final class SunPKCS11 extends AuthProvider { } else if (algorithm.endsWith("GCM/NoPadding") || algorithm.startsWith("ChaCha20-Poly1305")) { return new P11AEADCipher(token, algorithm, mechanism); @@ -4495,7 +4501,7 @@ index 00fbbcfe07c..b5a30c6da4e 100644 } else { return new P11Cipher(token, algorithm, mechanism); } -@@ -1570,6 +1837,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1574,6 +1841,9 @@ public final class SunPKCS11 extends AuthProvider { try { session = token.getOpSession(); p11.C_Logout(session.id()); diff --git a/java-17-openjdk-portable.specfile b/java-17-openjdk-portable.specfile index 0aa8141..504a479 100644 --- a/java-17-openjdk-portable.specfile +++ b/java-17-openjdk-portable.specfile @@ -315,7 +315,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 18 +%global updatever 19 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -365,7 +365,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver e1780dd5d39 +%global fipsver 62c0f885e30 # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -379,8 +379,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 2 +%global buildver 10 +%global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -753,19 +753,19 @@ BuildRequires: libpng-devel BuildRequires: zlib-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.13.3 +Provides: bundled(freetype) = 2.14.2 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h -Provides: bundled(giflib) = 5.2.2 +Provides: bundled(giflib) = 6.1.2 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 11.2.0 +Provides: bundled(harfbuzz) = 12.3.2 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.51 +Provides: bundled(libpng) = 1.6.57 # Version in src/java.base/share/native/libzip/zlib/zlib.h -Provides: bundled(zlib) = 1.3.1 +Provides: bundled(zlib) = 1.3.2 # We link statically against libstdc++ to increase portability BuildRequires: libstdc++-static %endif @@ -1838,13 +1838,36 @@ done %endif %changelog +* Fri Apr 17 2026 Thomas Fitzsimmons - 1:17.0.19.0.10-1 +- Set fipsver to 62c0f885e30 + +* Thu Apr 16 2026 Thomas Fitzsimmons - 1:17.0.19.0.10-1 +- Update to jdk-17.0.19+10 (GA) +- Add to .gitignore openjdk-17.0.19+10.tar.xz +- Set updatever to 19 +- Set buildver to 10 +- Set rpmrelease to 1 +- Update sources to openjdk-17.0.19+10.tar.xz +- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. ** +- Set bundled freetype library version to 2.14.2 +- Set bundled giflib library version to 6.1.2 +- Set bundled harfbuzz library version to 12.3.2 +- Set bundled libpng library version to 1.6.57 +- Set bundled zlib library version to 1.3.2 +- Update NEWS for jdk-17.0.19+10 (GA) + * Wed Feb 11 2026 Andrew Hughes - 1:17.0.18.0.8-2 - Add test to ensure blocked.certs is valid (OPENJDK-4362) - Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh +- Add gating scripts to simplify obtaining results and waiving issues +- Remove 8.2.0-z from tag_rhel_8_public.sh and tag_rhel_8_embargoed.sh +- Resolves: RHEL-149327 +- Related: RHEL-151197 * Wed Feb 11 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-2 - Set rpmrelease to 2 - Set fipsver to e1780dd5d39 +- Resolves: RHEL-122136 * Fri Jan 16 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-1 - Update to jdk-17.0.18+8 (GA) @@ -1862,7 +1885,10 @@ done - Set buildver to 7 - Set is_ga to 0 - Update sources to openjdk-17.0.18+7-ea.tar.xz +- Resolves: RHEL-139552 - Set bundled libpng version to 1.6.51 +- Resolves: RHEL-131590 +- Resolves: RHEL-131601 - Adjust attributes in nss.fips.cfg.in in fips-17u-df4c415ac9a.patch - Related: OPENJDK-4013 - Related: RHEL-122136 diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 6f9e752..ab9c52a 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -328,7 +328,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 18 +%global updatever 19 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -368,7 +368,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver e1780dd5d39 +%global fipsver 62c0f885e30 %global javaver %{featurever} %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} @@ -383,8 +383,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 2 +%global buildver 10 +%global rpmrelease 1 # Settings used by the portable build %global portablerelease 2 # Portable suffix differs between RHEL and CentOS @@ -1137,8 +1137,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2025b required as of JDK-8352716 -Requires: tzdata-java >= 2025b +# 2026a required as of JDK-8379035 +Requires: tzdata-java >= 2026a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1470,8 +1470,8 @@ BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{ %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2025b required as of JDK-8352716 -BuildRequires: tzdata-java >= 2025b +# 2026a required as of JDK-8379035 +BuildRequires: tzdata-java >= 2026a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1490,19 +1490,19 @@ BuildRequires: libpng-devel BuildRequires: zlib-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.13.3 +Provides: bundled(freetype) = 2.14.2 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h -Provides: bundled(giflib) = 5.2.2 +Provides: bundled(giflib) = 6.1.2 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 11.2.0 +Provides: bundled(harfbuzz) = 12.3.2 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.51 +Provides: bundled(libpng) = 1.6.57 # Version in src/java.base/share/native/libzip/zlib/zlib.h -Provides: bundled(zlib) = 1.3.1 +Provides: bundled(zlib) = 1.3.2 %endif # this is always built, also during debug-only build @@ -2512,6 +2512,31 @@ cjc.mainProgram(args) %endif %changelog +* Thu Apr 16 2026 Thomas Fitzsimmons - 1:17.0.19.0.10-1 +- Update to jdk-17.0.19+10 (GA) +- Add to .gitignore openjdk-17.0.19+10.tar.xz +- Set updatever to 19 +- Set buildver to 10 +- Set rpmrelease to 1 +- Update sources to openjdk-17.0.19+10.tar.xz +- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. ** +- Set tzdata requires and build requires to 2026a +- Set bundled freetype library version to 2.14.2 +- Set bundled giflib library version to 6.1.2 +- Set bundled harfbuzz library version to 12.3.2 +- Set bundled libpng library version to 1.6.57 +- Set bundled zlib library version to 1.3.2 +- Set fipsver to 62c0f885e30 +- Sync NEWS from openjdk-portable-rhel-8 +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Resolves: RHEL-133292 +- Resolves: RHEL-147350 +- Resolves: RHEL-148408 +- Resolves: RHEL-148987 +- Resolves: RHEL-161296 +- Resolves: RHEL-161445 +- Resolves: RHEL-157135 + * Thu Feb 12 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-2 - Set portablerelease to 2 - Remove test to ensure blocked.certs is valid, done in portable diff --git a/sources b/sources index 2d716dd..5817949 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-17.0.18+8.tar.xz) = 71b499f76b4ec42836a45a102f202fb5384c3bfb440d94afad004d4c8e9346298f5c557f16c409a27e6d347930eeae838e43d94c226c5938da008e7ee98db0ff +SHA512 (openjdk-17.0.19+10.tar.xz) = a905a9689363d4f0d0ff8e1ddf79a605209c5ec65d0858f3bb4b9ddcb3ffa0354c75fd4660323204957b58913c831a79b78dcd7615358b8135f38fc1c2d4c3bb