Sync the copy of the portable specfile with the latest update

Related: RHEL-142859
Related: RHEL-139560
Related: RHEL-131592
Related: RHEL-131602
Related: RHEL-122121

java-21-openjdk-portable.specfile

@@ -329,7 +329,7 @@
 # New Version-String scheme-style defines
 %global featurever 21
 %global interimver 0
-%global updatever 9
+%global updatever 10
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -379,7 +379,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 9203d50836c
+%global fipsver a0fd6e8ed6e
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 %global javaver         %{featurever}
@@ -393,7 +393,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        10
+%global buildver        7
 %global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -661,6 +661,7 @@ Source18: TestTranslations.java
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
 # RH1940064: Enable XML Signature provider in FIPS mode
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+# OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY
 Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
@@ -770,7 +771,7 @@ Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.47
+Provides: bundled(libpng) = 1.6.51
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
 Provides: bundled(zlib) = 1.3.1
 # We link statically against libstdc++ to increase portability
@@ -1701,6 +1702,11 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi
   $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
 %endif
 
+  # Check blocked.certs is valid (OPENJDK-4362)
+  jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java
+  jtreg_dir=$(dirname ${jtreg_test})
+  $JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test}
+
   # Check src.zip has all sources. See RHBZ#1130490
   unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
 
@@ -1944,6 +1950,21 @@ done
 %endif
 
 %changelog
+* Sun Jan 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.10.0.7-1
+- Update to jdk-21.0.10+7 (GA)
+- Update release notes to 21.0.10+7
+- Bump libpng version to 1.6.51 following JDK-8372534
+- Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT
+- Add test to ensure blocked.certs is valid (OPENJDK-4362)
+- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh
+- Resolves: OPENJDK-4273
+- Resolves: OPENJDK-4281
+- Resolves: OPENJDK-4357
+- Resolves: OPENJDK-4397
+- Resolves: OPENJDK-4380
+- Resolves: OPENJDK-4388
+- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
+
 * Fri Oct 17 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.9.0.10-1
 - Update to jdk-21.0.9+10 (GA)
 - Update release notes to 21.0.9+10

java-21-openjdk.spec

@@ -2574,6 +2574,7 @@ cjc.mainProgram(args)
 - Bump libpng version to 1.6.51 following JDK-8372534
 - Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT
 - Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh
+- Sync the copy of the portable specfile with the latest update
 - Resolves: RHEL-142859
 - Resolves: RHEL-139560
 - Resolves: RHEL-131592