Update to jdk-21.0.5+10 (GA)

- Update release notes to 21.0.5+10
- Switch to GA mode.
- Revert JDK-8327501 & JDK-8328366 backport until more mature.

** This tarball is embargoed until 2024-10-15 @ 1pm PT. **

- Resolves: RHEL-61276

.gitignore

@@ -24,3 +24,4 @@
 /openjdk-21.0.5+1-ea.tar.xz
 /openjdk-21.0.5+5-ea.tar.xz
 /openjdk-21.0.5+9-ea.tar.xz
+/openjdk-21.0.5+10.tar.xz

NEWS

@@ -8,6 +8,20 @@ New in release OpenJDK 21.0.5 (2024-10-15):
 Live versions of these release notes can be found at:
   * https://bit.ly/openjdk2105
 
+* CVEs
+  - CVE-2024-21208
+  - CVE-2024-21210
+  - CVE-2024-21217
+  - CVE-2024-21235
+* Security fixes
+  - JDK-8307383: Enhance DTLS connections
+  - JDK-8311208: Improve CDS Support
+  - JDK-8328286: Enhance HTTP client
+  - JDK-8328544: Improve handling of vectorization
+  - JDK-8328726: Better Kerberos support
+  - JDK-8331446: Improve deserialization support
+  - JDK-8332644: Improve graph optimizations
+  - JDK-8335713: Enhance vectorization analysis
 * Other changes
   - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG
   - JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser
@@ -361,6 +375,7 @@ Live versions of these release notes can be found at:
   - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339
   - JDK-8341057: Add 2 SSL.com TLS roots
   - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
+  - JDK-8341674: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.5
 
 Notes on individual issues:
 ===========================
@@ -528,6 +543,24 @@ Name: SSL.com
 Alias Name: ssltlsrootrsa2022
 Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
 
+core-libs/java.net:
+
+JDK-8328286: Enhance HTTP client
+================================
+This OpenJDK release limits the maximum header field size accepted by
+the HTTP client within the JDK for all supported versions of the HTTP
+protocol. The header field size is computed as the sum of the size of
+the uncompressed header name, the size of the uncompressed header
+value and a overhead of 32 bytes for each field section line. If a
+peer sends a field section that exceeds this limit, a
+`java.net.ProtocolException` will be raised.
+
+This release also introduces a new system property,
+`jdk.http.maxHeaderSize`. This property can be used to alter the
+maximum header field size (in bytes) or disable it by setting the
+value to zero or a negative value. The default value is 393,216 bytes
+or 384kB.
+
 core-svc/java.lang.management:
 
 JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods

java-21-openjdk.spec

@@ -365,8 +365,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
-%global rpmrelease      1
+%global buildver        10
+%global rpmrelease      2
 # Settings used by the portable build
 %global portablerelease 1
 # Portable suffix differs between RHEL and CentOS
@@ -394,7 +394,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@@ -1420,6 +1420,8 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 # OpenJDK patches in need of upstreaming
 #
 #############################################
+# Revert backport of JDK-8327501 & JDK-8328366
+Patch2001: jdk8327501-8328366-revert.patch
 
 # Currently empty
 
@@ -1895,6 +1897,8 @@ sh %{SOURCE12} %{top_level_dir_name}
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
 %patch -P1001 -p1
+# Backport reversion
+%patch -P2001 -p1
 popd # openjdk
 
 
@@ -2532,6 +2536,14 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sat Oct 12 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.5.0.10-1
+- Update to jdk-21.0.5+10 (GA)
+- Update release notes to 21.0.5+10
+- Switch to GA mode.
+- Revert JDK-8327501 & JDK-8328366 backport until more mature.
+- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **
+- Resolves: RHEL-61276
+
 * Fri Oct 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.5.0.9-0.1.ea
 - Update to jdk-21.0.5+9 (EA)
 - Update release notes to 21.0.5+9

jdk8327501-8328366-revert.patch

@@ -0,0 +1,49 @@
+commit f21b0a990905afe79b56919a5119e2c06e29d61a
+Author: Andrew John Hughes <gnu_andrew@member.fsf.org>
+Date:   Sat Oct 12 02:31:38 2024 +0100
+
+    Revert "8327501: Common ForkJoinPool prevents class unloading in some cases"
+    
+    This reverts commit eb103b0e1abeeee19779cafc763d3d159030fb48.
+
+diff --git a/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java b/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java
+index 8aafda5312e..5e698b1540f 100644
+--- a/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java
++++ b/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java
+@@ -981,7 +981,9 @@ public class ForkJoinPool extends AbstractExecutorService {
+             boolean isCommon = (pool.workerNamePrefix == null);
+             @SuppressWarnings("removal")
+             SecurityManager sm = System.getSecurityManager();
+-            if (sm != null && isCommon)
++            if (sm == null)
++                return new ForkJoinWorkerThread(null, pool, true, false);
++            else if (isCommon)
+                 return newCommonWithACC(pool);
+             else
+                 return newRegularWithACC(pool);
+diff --git a/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java b/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java
+index a87aa7b916b..266c2a036fe 100644
+--- a/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java
++++ b/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java
+@@ -79,9 +79,6 @@ public class ForkJoinPool9Test extends JSR166TestCase {
+             assertSame(ForkJoinPool.commonPool(), ForkJoinTask.getPool());
+             Thread currentThread = Thread.currentThread();
+ 
+-            ClassLoader preexistingContextClassLoader =
+-                    currentThread.getContextClassLoader();
+-
+             Stream.of(systemClassLoader, null).forEach(cl -> {
+                 if (randomBoolean())
+                     // should always be permitted, without effect
+@@ -98,11 +95,6 @@ public class ForkJoinPool9Test extends JSR166TestCase {
+                     () -> System.getProperty("foo"),
+                     () -> currentThread.setContextClassLoader(
+                         classLoaderDistinctFromSystemClassLoader));
+-            else {
+-                currentThread.setContextClassLoader(classLoaderDistinctFromSystemClassLoader);
+-                assertSame(currentThread.getContextClassLoader(), classLoaderDistinctFromSystemClassLoader);
+-                currentThread.setContextClassLoader(preexistingContextClassLoader);
+-            }
+             // TODO ?
+ //          if (haveSecurityManager
+ //              && Thread.currentThread().getClass().getSimpleName()

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-21.0.5+9-ea.tar.xz) = 7a4a38fceec86c418ae51c3ebbe37251da75ce857300f8915107d82e649a75e9e28354f6ac20e325284ce940f0d702e3f72d14363ad99030d968236c283d425e
+SHA512 (openjdk-21.0.5+10.tar.xz) = 1fe2c4d9137c36171a729343051738177c1e65ad1b50de330115f8ccfa2008611dcb40ca1e158176a9ed77ecea33308ad6034985e0700fd0e96a151cd416f67b