From 75d605a8622f9b44162cef59e02e085948df0e56 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 23 Jan 2026 09:09:13 +0000 Subject: [PATCH] import UBI java-21-openjdk-21.0.10.0.7-1.el9 --- .gitignore | 2 +- .java-21-openjdk.metadata | 2 +- SOURCES/NEWS | 474 ++++++++++++++++++ ...0836c.patch => fips-21u-a0fd6e8ed6e.patch} | 14 +- SOURCES/java-21-openjdk-portable.specfile | 29 +- SPECS/java-21-openjdk.spec | 26 +- 6 files changed, 529 insertions(+), 18 deletions(-) rename SOURCES/{fips-21u-9203d50836c.patch => fips-21u-a0fd6e8ed6e.patch} (99%) diff --git a/.gitignore b/.gitignore index e17aa68..6f8781a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-21.0.9+10.tar.xz +SOURCES/openjdk-21.0.10+7.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-21-openjdk.metadata b/.java-21-openjdk.metadata index ccc920e..2c140bb 100644 --- a/.java-21-openjdk.metadata +++ b/.java-21-openjdk.metadata @@ -1,2 +1,2 @@ -042d8059572dbc352238ea59e90c3fb97a30309a SOURCES/openjdk-21.0.9+10.tar.xz +1e24e8b2c4802b336ecf71428de9e38abecc0d05 SOURCES/openjdk-21.0.10+7.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index e8e70af..1bf13ce 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,480 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 21.0.10 (2026-01-20): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2110 + +* CVEs + - CVE-2026-21925 + - CVE-2026-21932 + - CVE-2026-21933 + - CVE-2026-21945 +* Changes + - JDK-7191877: TEST_BUG: java/rmi/transport/checkLeaseInfoLeak/CheckLeaseLeak.java failing intermittently + - JDK-8072701: resume001 failed due to ERROR: timeout for waiting for a BreakpintEvent + - JDK-8139228: JFileChooser renders file names as HTML document + - JDK-8139392: JInternalFrame has incorrect padding + - JDK-8140527: JInternalFrame has incorrect title button width + - JDK-8162380: [TEST_BUG] MouseEvent/.../AltGraphModifierTest.java has only "Fail" button + - JDK-8199149: Improve the exception message thrown by VarHandle of unsupported operation + - JDK-8201183: sjavac build failures: "Connection attempt failed: Connection refused" + - JDK-8201778: Speed up test javax/net/ssl/DTLS/PacketLossRetransmission.java + - JDK-8204868: java/util/zip/ZipFile/TestCleaner.java still fails with "cleaner failed to clean zipfile." + - JDK-8210807: Printing a JTable with a JScrollPane prints table without rows populated + - JDK-8216437: PPC64: Add intrinsic for GHASH algorithm + - JDK-8219408: Tests should handle ${} in the view of jtreg "smart action" + - JDK-8230016: re-visit test sun/security/pkcs11/Serialize/SerializeProvider.java + - JDK-8245545: Disable TLS_RSA cipher suites + - JDK-8265429: Improve GCM encryption + - JDK-8277424: javax/net/ssl/TLSCommon/TLSTest.java fails with connection refused + - JDK-8280482: Window transparency bug on Linux + - JDK-8290043: serviceability/attach/ConcAttachTest.java failed "guarantee(!CheckJNICalls) failed: Attached JNI thread exited without being detached" + - JDK-8297531: sun/security/krb5/MicroTime.java fails with "Exception: What? only 100 musec precision?" + - JDK-8300708: Some nsk jvmti tests fail with virtual thread wrapper due to jvmti missing some virtual thread support + - JDK-8304065: HttpServer.stop should terminate immediately if no exchanges are in progress + - JDK-8304811: vmTestbase/vm/mlvm/indy/func/jvmti/stepBreakPopReturn/INDIFY_Test.java fails with JVMTI_ERROR_TYPE_MISMATCH + - JDK-8305186: Reference.waitForReferenceProcessing should be more accessible to tests + - JDK-8305567: serviceability/tmtools/jstat/GcTest01.java failed utils.JstatGcResults.assertConsistency + - JDK-8306579: Consider building with /Zc:throwingNew + - JDK-8307160: Fix AWT/2D/A11Y to support the permissive- flag on the Microsoft Visual C compiler + - JDK-8308780: Fix the Java Integer types on Windows + - JDK-8309511: Regression test ExtraImportSemicolon.java refers to the wrong bug + - JDK-8310049: Refactor Charset tests to use JUnit + - JDK-8310915: Typo in aarch64.ad: "envcodings" + - JDK-8311076: RedefineClasses doesn't check for ConstantPool overflow + - JDK-8311906: Improve robustness of String constructors with mutable array inputs + - JDK-8313231: Redundant if statement in ZoneInfoFile + - JDK-8313770: jdk/internal/platform/docker/TestSystemMetrics.java fails on Ubuntu + - JDK-8315130: java.lang.IllegalAccessError when processing classlist to create CDS archive + - JDK-8315990: Amend problemlisted tests to proper position + - JDK-8316422: TestIntegerUnsignedDivMod.java triggers "invalid layout" assert in FrameValues::validate + - JDK-8317132: Prepare HotSpot for permissive- + - JDK-8317332: Prepare security for permissive- + - JDK-8317970: Bump target macosx-x64 version to 11.00.00 + - JDK-8318467: [jmh] tests concurrent.Queues and concurrent.ProducerConsumer hang with 101+ threads + - JDK-8318730: MonitorVmStartTerminate.java still times out after JDK-8209595 + - JDK-8318850: Duplicate code in the LCMSImageLayout + - JDK-8319570: Change to GCC 13.2.0 for building on Linux at Oracle + - JDK-8320049: PKCS10 would not discard the cause when throw SignatureException on invalid key + - JDK-8320577: Improve MessageHeader's toString() function to make HttpURLConnection's debug log readable + - JDK-8320836: jtreg gtest runs should limit heap size + - JDK-8321180: Condition for non-latin1 string size too large exception is off by one + - JDK-8321183: Incorrect warning from cds about the modules file + - JDK-8321514: UTF16 string gets constructed incorrectly from codepoints if CompactStrings is not enabled + - JDK-8322018: Test java/lang/String/CompactString/MaxSizeUTF16String.java fails with -Xcomp + - JDK-8322135: Printing JTable in Windows L&F throws InternalError: HTHEME is null + - JDK-8322140: javax/swing/JTable/JTableScrollPrintTest.java does not print the rows and columns of the table in Nimbus and Aqua LookAndFeel + - JDK-8323803: ConstantOopReadValue::print_on should print 'null' instead of 'nullptr' + - JDK-8324065: Daylight saving information for `Africa/Casablanca` are incorrect + - JDK-8324491: Keyboard layout didn't keep its state if it was changed when dialog was active + - JDK-8325277: [21u] Backout test change of JDK-8291809 + - JDK-8325530: Vague error message when com.sun.tools.attach.VirtualMachine fails to load agent library + - JDK-8325590: Regression in round-tripping UTF-16 strings after JDK-8311906 + - JDK-8325647: [IR framework] Only prints stdout if exitCode is 134 + - JDK-8325731: Installation instructions for Debian/Ubuntu don't mention autoconf + - JDK-8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically + - JDK-8327434: Test java/util/PluggableLocale/TimeZoneNameProviderTest.java timed out + - JDK-8327704: Update nsk/jdi tests to use driver instead of othervm + - JDK-8327757: Convert javax/swing/JSlider/6524424/bug6524424.java applet to main + - JDK-8327856: Convert applet test SpanishDiacriticsTest.java to a main program + - JDK-8327980: Convert javax/swing/JToggleButton/4128979/bug4128979.java applet test to main + - JDK-8328124: Convert java/awt/Frame/ShownOnPack/ShownOnPack.html applet test to main + - JDK-8328247: Remove redundant dir for tests converted from applet to main + - JDK-8328299: Convert DnDFileGroupDescriptor.html applet test to main + - JDK-8328377: Convert java/awt/Cursor/MultiResolutionCursorTest test to main + - JDK-8328562: Convert java/awt/InputMethods/DiacriticsTest/DiacriticsTest.java applet test to main + - JDK-8331231: containers/docker/TestContainerInfo.java fails + - JDK-8333200: Test containers/docker/TestPids.java fails Limit value -1 is not accepted as unlimited + - JDK-8333526: Restructure java/nio/channels/DatagramChannel/StressNativeSignal.java to a fail fast exception handling policy + - JDK-8333569: jpackage tests must run app launchers with retries on Linux only + - JDK-8333783: java/nio/channels/FileChannel/directio/DirectIOTest.java is unstable with AV software + - JDK-8334217: [AIX] Misleading error messages after JDK-8320005 + - JDK-8334509: Cancelling PageDialog does not return the same PageFormat object + - JDK-8334756: javac crashed on call to non-existent generic method with explicit annotated type arg + - JDK-8334771: [TESTBUG] Run TestDockerMemoryMetrics.java with -Xcomp fails exitValue = 137 + - JDK-8335986: Test javax/swing/JCheckBox/4449413/bug4449413.java fails on Windows 11 x64 because RBMenuItem's and CBMenuItem's checkmark on the left side are not visible + - JDK-8337723: Remove redundant tests from com/sun/security/sasl/gsskerb + - JDK-8338428: Add logging of final VM flags while setting properties + - JDK-8338740: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes + - JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC + - JDK-8339366: [jittester] Make it possible to generate tests without execution + - JDK-8340015: Open source several AWT focus tests - series 7 + - JDK-8340321: Disable SHA-1 in TLS/DTLS 1.2 handshake signatures + - JDK-8340354: Open source AWT desktop properties and print related tests + - JDK-8341097: GHA: Demote Mac x86 jobs to build only + - JDK-8341131: Some jdk/jfr/event/compiler tests shouldn't be executed with Xcomp + - JDK-8341138: Rename jtreg property docker.support as container.support + - JDK-8341443: [macos] AppContentTest and SigningOptionsTest failed due to "codesign" does not fails with "--app-content" on macOS 15 + - JDK-8341496: Improve JMX connections + - JDK-8342576: [macos] AppContentTest still fails after JDK-8341443 for same reason on older macOS versions + - JDK-8342582: user.region for formatting number no longer works for 21.0.5 + - JDK-8342934: TYPE_USE annotations printed with error causing "," in toString output + - JDK-8343191: Cgroup v1 subsystem fails to set subsystem path + - JDK-8343340: Swapping checking do not work for MetricsMemoryTester failcount + - JDK-8343875: Minor improvements of jpackage test library + - JDK-8343876: Enhancements to jpackage test lib + - JDK-8344143: Test jdk/java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java timed out on macosx-x64 + - JDK-8344577: Virtual thread tests are timing out on some macOS systems + - JDK-8345213: JVM Prefers /etc/timezone Over /etc/localtime on Debian 12 + - JDK-8346142: [perf] scalability issue for the specjvm2008::xml.validation workload + - JDK-8346234: javax/swing/text/DefaultEditorKit/4278839/bug4278839.java still fails in CI + - JDK-8346753: Test javax/swing/JMenuItem/RightLeftOrientation/RightLeftOrientation.java fails on Windows Server 2025 x64 because the icons of RBMenuItem and CBMenuItem are not visible in Nimbus LookAndFeel + - JDK-8346839: [TESTBUG] "java/awt/textfield/setechochartest4/setechochartest4.java" failed because the test frame disappears on clicking "Click Several Times" button + - JDK-8346875: Test jdk/jdk/jfr/event/os/TestCPULoad.java fails on macOS + - JDK-8347143: [aix] Fix strdup use in os::dll_load + - JDK-8347277: java/awt/Focus/ComponentLostFocusTest.java fails intermittently + - JDK-8347300: Don't exclude the "PATH" var from the environment when running app launchers in jpackage tests + - JDK-8347377: Add validation checks for ICC_Profile header fields + - JDK-8347434: Richer VM operations events logging + - JDK-8347811: Container detection code for cgroups v2 should use cgroup.controllers + - JDK-8347841: Test fixes that use deprecated time zone IDs + - JDK-8348240: Remove SystemDictionaryShared::lookup_super_for_unregistered_class() + - JDK-8348402: PerfDataManager stalls shutdown for 1ms + - JDK-8349188: LineBorder does not scale correctly + - JDK-8349534: Refactor jdk/sun/security/krb5/runNameEquals.sh to java test + - JDK-8349705: java.net.URI.scanIPv4Address throws unnecessary URISyntaxException + - JDK-8349988: Change cgroup version detection logic to not depend on /proc/cgroups + - JDK-8350102: Decouple jpackage test-lib Executor.Result and Executor classes + - JDK-8350623: Fix -Wzero-as-null-pointer-constant warnings in nsk native test utilities + - JDK-8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError + - JDK-8351110: ImageIO.write for JPEG can write corrupt JPEG for certain thumbnail dimensions + - JDK-8351359: OperatingSystemMXBean: values from getCpuLoad and getProcessCpuLoad are stale after 24.8 days (Windows) + - JDK-8351382: New test containers/docker/TestMemoryWithSubgroups.java is failing + - JDK-8351567: Jar Manifest test ValueUtf8Coding produces misleading diagnostic output + - JDK-8352016: Improve java/lang/RuntimeTests/RuntimeExitLogTest.java + - JDK-8352533: Report useful IOExceptions when jspawnhelper fails + - JDK-8352678: Opensource few JMenuItem tests + - JDK-8352682: Opensource JComponent tests + - JDK-8352686: Opensource JInternalFrame tests - series3 + - JDK-8352687: Opensource few JInternalFrame and JTextField tests + - JDK-8352793: Open source several AWT TextComponent tests - Batch 1 + - JDK-8352865: Open source several AWT TextComponent tests - Batch 2 + - JDK-8352905: Open some JComboBox bugs 1 + - JDK-8352926: New test TestDockerMemoryMetricsSubgroup.java fails + - JDK-8352966: Opensource Several Font related tests - Batch 2 + - JDK-8352997: Open source several Swing JTabbedPane tests + - JDK-8353007: Open some JComboBox bugs 2 + - JDK-8353011: Open source Swing JButton tests - Set 1 + - JDK-8353013: java.net.URI.create(String) may have low performance to scan the host/domain name from URI string when the hostname starts with number + - JDK-8353175: Eliminate double iteration of stream in FieldDescriptor reinitialization + - JDK-8353201: Open source Swing Tooltip tests - Set 2 + - JDK-8353299: VerifyJarEntryName.java test fails + - JDK-8353309: Open source several Swing text tests + - JDK-8353319: Open source Swing tests - Set 3 + - JDK-8353445: Open source several AWT Menu tests - Batch 1 + - JDK-8353470: Clean up and open source couple AWT Graphics related tests (Part 2) + - JDK-8353483: Open source some JProgressBar tests + - JDK-8353486: Open source Swing Tests - Set 4 + - JDK-8353585: Provide ChoiceFormat#parse(String, ParsePosition) tests + - JDK-8353586: Open source several toolkit tests + - JDK-8353589: Open source a few Swing menu-related tests + - JDK-8353592: Open source several scrollbar tests + - JDK-8353661: Open source several swing tests batch5 + - JDK-8353832: Opensource FontClass, Selection and Icon tests + - JDK-8353953: com/sun/jdi tests should be fixed to not always require includevirtualthreads=y + - JDK-8353957: Open source several AWT ScrollPane tests - Batch 1 + - JDK-8353958: Open source several AWT ScrollPane tests - Batch 2 + - JDK-8354095: Open some JTable bugs 5 + - JDK-8354106: Clean up and open source KeyEvent related tests (Part 2) + - JDK-8354214: Open source Swing tests Batch 2 + - JDK-8354233: Open some JTable bugs 6 + - JDK-8354235: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine + - JDK-8354248: Open source several AWT GridBagLayout and List tests + - JDK-8354340: Open source Swing Tests - Set 6 + - JDK-8354341: Open some JTable bugs 7 + - JDK-8354365: Opensource few Modal and Full Screen related tests + - JDK-8354418: Open source Swing tests Batch 4 + - JDK-8354451: Open source some more Swing popup menu tests + - JDK-8354465: Open some JTable bugs 8 + - JDK-8354466: Open some misc Swing bugs 9 + - JDK-8354472: Clean up and open source KeyEvent related tests (Part 3) + - JDK-8354475: TestDockerMemoryMetricsSubgroup.java fails with exitValue = 1 + - JDK-8354493: Opensource Several MultiScreen and Insets related tests + - JDK-8354495: Open source several AWT DataTransfer tests + - JDK-8354532: Open source JFileChooser Tests - Set 7 + - JDK-8354552: Open source a few Swing tests + - JDK-8354553: Open source several clipboard tests batch0 + - JDK-8354561: Open source several swing tests batch0 + - JDK-8354646: java.awt.TextField allows to identify the spaces in a password when double clicked at the starting and end of the text + - JDK-8354653: Clean up and open source KeyEvent related tests (Part 4) + - JDK-8354701: Open source few JToolTip tests + - JDK-8354873: javax/swing/plaf/metal/MetalIconFactory/bug4952462.java failing on CI + - JDK-8354928: Clean up and open source some miscellaneous AWT tests + - JDK-8355071: Fix nsk/jdi test to not require lookup of main thread in order to set the breakpoint used for communication + - JDK-8355077: Compiler error at splashscreen_gif.c due to unterminated string initialization + - JDK-8355241: Move NativeDialogToFrontBackTest.java PL test to manual category + - JDK-8355333: Some Problem list entries point to non-existent / wrong files + - JDK-8355387: [jittester] Disable downcasts by default + - JDK-8355444: [java.io] Use @requires tag instead of exiting based on "os.name" property value + - JDK-8355478: DoubleActionESC.java fails intermittently + - JDK-8355558: SJIS.java test is always ignored + - JDK-8355561: [macos] Build failure with Xcode 16.3 + - JDK-8355569: Some nsk/jdi tests can glean the "main" thread by using the ClassPrepareEvent for the debuggee main class + - JDK-8355773: Some nsk/jdi tests can fetch ThreadReference from static field in the debuggee + - JDK-8356023: Some nsk/jdi tests can fetch ThreadReference from static field in the debuggee: part 2 + - JDK-8356040: java/util/PluggableLocale/LocaleNameProviderTest.java timed out + - JDK-8356145: ListEnterExitTest.java fails on macos + - JDK-8356187: TestJcmd.java may incorrectly parse podman version + - JDK-8356588: Some nsk/jdi tests can fetch ThreadReference from static field in the debuggee: part 3 + - JDK-8356752: Log mouse enter and exit events for debugging + - JDK-8356811: Some nsk/jdi tests can fetch ThreadReference from static field in the debuggee: part 4 + - JDK-8356897: Update NSS library to 3.111 + - JDK-8357172: Extend try block in nsk/jdi tests to capture exceptions thrown by Debuggee.classByName() + - JDK-8357305: Compilation failure in javax/swing/JMenuItem/bug6197830.java + - JDK-8357561: BootstrapLoggerTest does not work on Ubuntu 24 with LANG de_DE.UTF-8 + - JDK-8357799: Improve instructions for JFileChooser/HTMLFileName.java + - JDK-8357822: C2: Multiple string optimization tests are no longer testing string concatenation optimizations + - JDK-8357882: Use UTF-8 encoded data in LocaleDataTest + - JDK-8358048: java/net/httpclient/HttpsTunnelAuthTest.java incorrectly calls Thread::stop + - JDK-8358532: JFileChooser in GTK L&F still displays HTML filename + - JDK-8358577: Test serviceability/jvmti/thread/GetCurrentContendedMonitor/contmon01/contmon01.java failed: unexpexcted monitor object + - JDK-8358679: [asan] vmTestbase/nsk/jvmti tests show memory issues + - JDK-8358748: Large page size initialization fails with assert "page_size must be a power of 2" + - JDK-8358764: (sc) SocketChannel.close when thread blocked in read causes connection to be reset (win) + - JDK-8358813: JPasswordField identifies spaces in password via delete shortcuts + - JDK-8359061: Update and ProblemList manual test java/awt/Cursor/CursorDragTest/ListDragCursor.java + - JDK-8359167: Remove unused test/hotspot/jtreg/vmTestbase/nsk/share/jpda/BindServer.java + - JDK-8359182: Use @requires instead of SkippedException for MaxPath.java + - JDK-8359207: Remove runtime/signal/TestSigusr2.java since it is always skipped + - JDK-8359418: Test "javax/swing/text/GlyphView/bug4188841.java" failed because the phrase of text pane does not match the instructions + - JDK-8359428: Test 'javax/swing/JTabbedPane/bug4499556.java' failed because after selecting one of L&F items, the test case automatically failed when clicking on L&F Menu button again + - JDK-8359449: [TEST] open/test/jdk/java/io/File/SymLinks.java Refactor extract method for Windows specific test + - JDK-8359477: com/sun/net/httpserver/Test12.java appears to have a temp file race + - JDK-8359501: Enhance Handling of URIs + - JDK-8359687: Use PassFailJFrame for java/awt/print/Dialog/DialogType.java + - JDK-8360022: ClassRefDupInConstantPoolTest.java fails when running in repeat + - JDK-8360178: TestArguments.atojulong gtest has incorrect format string + - JDK-8360288: Shenandoah crash at size_given_klass in op_degenerated + - JDK-8360408: [TEST] Use @requires tag instead of exiting based on "os.name" property value for sun/net/www/protocol/file/FileURLTest.java + - JDK-8360411: [TEST] open/test/jdk/java/io/File/MaxPathLength.java Refactor extract method to encapsulate Windows specific test logic + - JDK-8360478: libjsig related tier3 jtreg tests fail when asan is configured + - JDK-8360533: ContainerRuntimeVersionTestUtils fromVersionString fails with some docker versions + - JDK-8360981: Remove use of Thread.stop in test/jdk/java/net/Socket/DeadlockTest.java + - JDK-8361253: CommandLineOptionTest library should report observed values on failure + - JDK-8361298: SwingUtilities/bug4967768.java fails where character P is not underline + - JDK-8361314: Test serviceability/jvmti/VMEvent/MyPackage/VMEventRecursionTest.java FATAL ERROR in native method: Failed during the GetClassSignature call + - JDK-8361423: Add IPSupport::printPlatformSupport to java/net/NetworkInterface/IPv4Only.java + - JDK-8361447: [REDO] Checked version of JNI ReleaseArrayElements needs to filter out known wrapped arrays + - JDK-8361599: [PPC64] enable missing tests via jtreg requires + - JDK-8361751: Test sun/tools/jcmd/TestJcmdSanity.java timed out on Windows + - JDK-8361754: New test runtime/jni/checked/TestCharArrayReleasing.java can cause disk full errors + - JDK-8361868: [GCC static analyzer] complains about missing calloc - NULL checks in p11_util.c + - JDK-8361871: [GCC static analyzer] complains about use of uninitialized value ckpObject in p11_util.c + - JDK-8362123: ClassLoader Leak via Executors.newSingleThreadExecutor(...) + - JDK-8362204: test/jdk/sun/awt/font/TestDevTransform.java fails on Ubuntu 24.04 + - JDK-8362207: Add more test cases for possible double-rounding in fma + - JDK-8362308: Enhance Bitmap operations + - JDK-8362516: Support of GCC static analyzer (-fanalyzer) + - JDK-8362532: Test gc/g1/plab/* duplicate command-line options + - JDK-8362533: Tests sun/management/jmxremote/bootstrap/* duplicate VM flags + - JDK-8362602: Add test.timeout.factor to CompileFactory to avoid test timeouts + - JDK-8362632: Improve HttpServer Request handling + - JDK-8363676: [GCC static analyzer] missing return value check of malloc in OGLContext_SetTransform + - JDK-8363720: Follow up to JDK-8360411 with post review comments + - JDK-8363966: GHA: Switch cross-compiling sysroots to Debian trixie + - JDK-8364198: NMT should have a better corruption message + - JDK-8364199: Enhance list of environment variables printed in hserr/hsinfo file + - JDK-8364214: Enhance polygon data support + - JDK-8364235: Fix for JDK-8361447 breaks the alignment requirements for GuardedMemory + - JDK-8364257: JFR: User-defined events and settings with a one-letter name cannot be configured + - JDK-8364258: ThreadGroup constant pool serialization is not normalized + - JDK-8364263: HttpClient: Improve encapsulation of ProxyServer + - JDK-8364484: misc tests fail with Received fatal alert: handshake_failure + - JDK-8364514: [asan] runtime/jni/checked/TestCharArrayReleasing.java heap-buffer-overflow + - JDK-8364556: JFR: Disable SymbolTableStatistics and StringTableStatistics in default.jfc + - JDK-8364597: Replace THL A29 Limited with Tencent + - JDK-8364660: ClassVerifier::ends_in_athrow() should be removed + - JDK-8364786: Test java/net/vthread/HttpALot.java intermittently fails - 24999 handled, expected 25000 + - JDK-8364993: JFR: Disable jdk.ModuleExport in default.jfc + - JDK-8364996: java/awt/font/FontNames/LocaleFamilyNames.java times out on Windows + - JDK-8365058: Enhance CopyOnWriteArraySet + - JDK-8365086: CookieStore.getURIs() and get(URI) should return an immutable List + - JDK-8365098: make/RunTests.gmk generates a wrong path to test artifacts on Alpine + - JDK-8365168: Use 64-bit aligned addresses for CK_ULONG access in PKCS11 native key code + - JDK-8365240: [asan] exclude some tests when using asan enabled binaries + - JDK-8365271: Improve Swing supports + - JDK-8365280: Enhance JOptionPane + - JDK-8365425: [macos26] javax/swing/JInternalFrame/8160248/JInternalFrameDraggingTest.java fails on macOS 26 + - JDK-8365442: [asan] runtime/ErrorHandling/CreateCoredumpOnCrash.java fails + - JDK-8365487: [asan] some oops (mode) related tests fail + - JDK-8365615: Improve JMenuBar/RightLeftOrientation.java + - JDK-8365660: test/jdk/sun/security/pkcs11/KeyAgreement/ tests skipped without SkipExceprion + - JDK-8365790: Shutdown hook for application image does not work on Windows + - JDK-8365834: Mark java/net/httpclient/ManyRequests.java as intermittent + - JDK-8365913: Support latest MSC_VER in abstract_vm_version.cpp + - JDK-8365919: Replace currentTimeMillis with nanoTime in Stresser.java + - JDK-8365983: Tests should throw SkippedException when SCTP not supported + - JDK-8366092: [GCC static analyzer] UnixOperatingSystem.c warning: use of uninitialized value 'systemTicks' + - JDK-8366159: SkippedException is treated as a pass for pkcs11/KeyStore, pkcs11/SecretKeyFactory and pkcs11/SecureRandom + - JDK-8366208: Unexpected exception in sun.java2d.cmm.lcms.LCMSImageLayout + - JDK-8366229: runtime/Thread/TooSmallStackSize.java runs with all collectors + - JDK-8366231: Bump update version for OpenJDK: jdk-21.0.10 + - JDK-8366342: Key generator and key pair generator tests skipping, but showing as passed + - JDK-8366359: Test should throw SkippedException when there is no lpstat + - JDK-8366558: Gtests leave /tmp/cgroups-test* files + - JDK-8366750: Remove test 'java/awt/Choice/ChoiceMouseWheelTest/ChoiceMouseWheelTest.java' from problemlist + - JDK-8366764: Deproblemlist java/awt/ScrollPane/ScrollPositionTest.java + - JDK-8366844: Update and automate MouseDraggedOriginatedByScrollBarTest.java + - JDK-8366893: java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java timed out on macos-aarch64 + - JDK-8367017: Remove legacy checks from WrappedToolkitTest and convert from bash + - JDK-8367021: Regression in LocaleDataTest refactoring + - JDK-8367131: Test com/sun/jdi/ThreadMemoryLeakTest.java fails on 32 bits + - JDK-8367133: DTLS: fragmentation of Finished message results in handshake failure + - JDK-8367237: Thread-Safety Usage Warning for java.text.Collator Classes + - JDK-8367348: Enhance PassFailJFrame to support links in HTML + - JDK-8367372: Test `test/hotspot/jtreg/gc/TestObjectAlignmentCardSize.java` fails on 32 bit systems + - JDK-8367384: The ICC_Profile class may throw exceptions during serialization + - JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName + - JDK-8367869: Test java/io/FileDescriptor/Sync.java timed out + - JDK-8367904: Test java/net/InetAddress/ptr/Lookup.java should throw SkippedException + - JDK-8368032: Enhance Certificate Checking + - JDK-8368192: Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace + - JDK-8368668: Several vmTestbase/vm/gc/compact tests timed out on large memory machine + - JDK-8368960: Adjust java UL logging in the build + - JDK-8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out + - JDK-8369032: Add test to ensure serialized ICC_Profile stores only necessary optional data + - JDK-8369078: Fix faulty test conversion in IllegalCharsetName.java + - JDK-8369184: SimpleTimeZone equals() Returns True for Unequal Instances with Different hashCode Values + - JDK-8369226: GHA: Switch to MacOS 15 + - JDK-8369319: java/net/httpclient/CancelRequestTest.java fails intermittently + - JDK-8369450: [Ubuntu 25.10] openjdk fails to build due to rust-coreutils date + - JDK-8369506: Bytecode rewriting causes Java heap corruption on AArch64 + - JDK-8369563: Gtest dll_address_to_function_and_library_name has issues with stripped pdb files + - JDK-8369616: JavaFrameAnchor on RISC-V has unnecessary barriers and wrong store order in MacroAssembler + - JDK-8369946: Bytecode rewriting causes Java heap corruption on PPC + - JDK-8369947: Bytecode rewriting causes Java heap corruption on RISC-V + - JDK-8370214: [21u] Remove -Xdebug and -Xnoagent from tests: backport parts of 8227229 and 8312072 + - JDK-8370465: Right to Left Orientation Issues with MenuItem Component + - JDK-8372534: Update Libpng to 1.6.51 + - JDK-8375447: Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.10 + +Notes on individual issues: +=========================== + +core-libs/java.util:i18n: + +JDK-8345213: JVM Prefers /etc/timezone Over /etc/localtime on Debian 12 +======================================================================= +On older Debian-based GNU/Linux systems, the /etc/timezone file +contained the name of the timezone in use on the system and so was +preferred by OpenJDK for determining the default timezone returned by +`TimeZone.getDefault()`. Since Debian 3.1 in 2005, the /etc/localtime +file has also been provided as either a link to or a copy of the zone +data file provided by the tzdata database and this is now the +preferred source of the system timezone following Debian's adoption of +systemd. OpenJDK's continued preference for /etc/timezone meant that +it may be reading a timezone setting which was no longer updated on +modern Debian systems. With this OpenJDK update, OpenJDK only reads +/etc/localtime as on other GNU/Linux systems. + +See https://wiki.debian.org/TimeZoneChanges#Check_Configured_Timezone +for more details. + +core-libs/java.lang: + +JDK-8311906: Improve robustness of String constructors with mutable array inputs +================================================================================ +The introduction of Compact Strings (JEP 254, OpenJDK 9) changed the +implementation of the String class to use a byte array to store +character data in either ISO-8859-1/Latin-1 (one byte per character) +or UTF-16 (two bytes per character). This optimisation reduced the +memory usage over a character array when String objects with only +Latin-1 characters were used. However, this also introduced a +potential race condition if the input character array was modified +externally while being converted to bytes. With this release of +OpenJDK, the conversion now includes an additional verification step +which checks that the first character that is not Latin-1 is still not +Latin-1 in the original array after all characters have been copied. +If it has changed to Latin-1, a second attempt is made to compress the +character data to Latin-1. A note is also added to the documentation +of the relevant methods in AbstractStringBuilder, Appendable and +String to indicate that the contents of the final String are +unspecified if the character array is modified during construction. + +See https://openjdk.org/jeps/254 for more details on Compact Strings. + +core-svc/javax.management: + +JDK-8341496: Improve JMX connections +==================================== +With this release of OpenJDK, SSL connections created by +javax.rmi.ssl.SslRMIClientSocketFactory now enable HTTPS-based +endpoint identification by default. This can be disabled by setting +the new system property +jdk.rmi.ssl.client.enableEndpointIdentification to false. + +security-libs/java.security: + +JDK-8368032: Enhance Certificate Checking +========================================= +OpenJDK supports the authorityInfoAccess extension in X.509 +certificates when the `com.sun.security.enableAIAcaIssuers` system +property is set to `true`. With this release of OpenJDK, a security +and system property `com.sun.security.allowedAIALocations` is +introduced which acts as a filter on the URIs specified in the +extension. By default, the property is empty, which will cause all +URIs to be denied when the extension is enabled. A value of `any` may +be used to allow all URIs or a whitespace-separated list of filters +may be used for more fine-grained control. The syntax of the filters +is specified in the `java.security` file. A non-empty value for the +system property takes precedence over the security property. + +security-libs/javax.net.ssl: + +JDK-8245545: Disable TLS_RSA cipher suites +========================================== +The TLS_RSA cipher suites do not preserve forward secrecy and are +rarely used in practice. With this release, they are disabled by +adding "TLS_RSA_*" to the `jdk.tls.disabledAlgorithms` security +property in the `java.security` configuration file. Attempts to use +these suites with this release will result in a +`SSLHandshakeException` being thrown. Note that RSA cipher suites +which use DES, 3DES, RC4 or NULL were already disabled prior to this +change. + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "TLS_RSA_*" is no +longer listed in the `jdk.tls.disabledAlgorithms` security property. + +This change results in the following cipher suites being disabled: + +* TLS_RSA_WITH_AES_256_GCM_SHA384 +* TLS_RSA_WITH_AES_256_CBC_SHA256 +* TLS_RSA_WITH_AES_256_CBC_SHA +* TLS_RSA_WITH_AES_128_GCM_SHA256 +* TLS_RSA_WITH_AES_128_CBC_SHA256 +* TLS_RSA_WITH_AES_128_CBC_SHA + +JDK-8340321: Disable SHA-1 in TLS/DTLS 1.2 handshake signatures +=============================================================== + +RFC 9155 deprecates the use of SHA-1 in TLS 1.2 and DTLS 1.2. The +algorithm has been regarded as insecure since 2005 and the first +public attack was published on the 23rd of February, 2017. With this +release of OpenJDK, SHA-1 is disabled in TLS 1.2 and DTLS 1.2 +handshake signature by adding "rsa_pkcs1_sha1 usage +HandshakeSignature, ecdsa_sha1 usage HandshakeSignature, dsa_sha1 +usage HandshakeSignature" to the `jdk.tls.disabledAlgorithms` security +property in the `java.security` configuration file. Attempts to use +these suites with this release will result in a +`SSLHandshakeException` being thrown. + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so the handshake +signatures are no longer listed in the `jdk.tls.disabledAlgorithms` +security property. + +This change results in the following signature schemes being disabled +for handshaking: + +* dsa_sha1 +* ecdsa_sha1 +* rsa_pkcs1_sha1 + New in release OpenJDK 21.0.9 (2025-10-21): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/fips-21u-9203d50836c.patch b/SOURCES/fips-21u-a0fd6e8ed6e.patch similarity index 99% rename from SOURCES/fips-21u-9203d50836c.patch rename to SOURCES/fips-21u-a0fd6e8ed6e.patch index 9966391..2db9580 100644 --- a/SOURCES/fips-21u-9203d50836c.patch +++ b/SOURCES/fips-21u-a0fd6e8ed6e.patch @@ -136,10 +136,10 @@ index 51d4f724c33..feb0bcf3e75 100644 BASIC_JDKLIB_LIBS="" BASIC_JDKLIB_LIBS_TARGET="" diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index f6def153c82..4d7abc33427 100644 +index 7f085676ca9..2476b9ae964 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -822,6 +822,11 @@ PANDOC_MARKDOWN_FLAG:=@PANDOC_MARKDOWN_FLAG@ # Libraries # @@ -1979,7 +1979,7 @@ index 539ef1e8ee8..435f57e3ff2 100644 "sun.security.rsa.PSSParameters", null); } diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index f8b01a4ea1e..b325bf7e9fc 100644 +index 6b0fd201b9b..2af4e3a3e21 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,17 @@ security.provider.tbd=Apple @@ -2064,7 +2064,7 @@ index f8b01a4ea1e..b325bf7e9fc 100644 # the javax.net.ssl package. diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in new file mode 100644 -index 00000000000..55bbba98b7a +index 00000000000..6de716e6b42 --- /dev/null +++ b/src/java.base/share/conf/security/nss.fips.cfg.in @@ -0,0 +1,8 @@ @@ -2074,7 +2074,7 @@ index 00000000000..55bbba98b7a +nssDbMode = readWrite +nssModule = fips + -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true } + diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy index 86d45147709..22fd8675503 100644 @@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 01fc06ae283..e3ca000d309 100644 +index f8dd5a71c2c..6423805d164 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3005,7 +3005,7 @@ index 01fc06ae283..e3ca000d309 100644 return null; } else { return "RAW"; -@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference { +@@ -1664,4 +1671,3 @@ final class SessionKeyRef extends PhantomReference { this.clear(); } } diff --git a/SOURCES/java-21-openjdk-portable.specfile b/SOURCES/java-21-openjdk-portable.specfile index 736e385..23085bd 100644 --- a/SOURCES/java-21-openjdk-portable.specfile +++ b/SOURCES/java-21-openjdk-portable.specfile @@ -329,7 +329,7 @@ # New Version-String scheme-style defines %global featurever 21 %global interimver 0 -%global updatever 9 +%global updatever 10 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -379,7 +379,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9203d50836c +%global fipsver a0fd6e8ed6e # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -393,7 +393,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 10 +%global buildver 7 %global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit @@ -661,6 +661,7 @@ Source18: TestTranslations.java # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +# OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# @@ -770,7 +771,7 @@ Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.47 +Provides: bundled(libpng) = 1.6.51 # Version in src/java.base/share/native/libzip/zlib/zlib.h Provides: bundled(zlib) = 1.3.1 # We link statically against libstdc++ to increase portability @@ -1701,6 +1702,11 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %endif + # Check blocked.certs is valid (OPENJDK-4362) + jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java + jtreg_dir=$(dirname ${jtreg_test}) + $JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test} + # Check src.zip has all sources. See RHBZ#1130490 unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -1944,6 +1950,21 @@ done %endif %changelog +* Sun Jan 18 2026 Andrew Hughes - 1:21.0.10.0.7-1 +- Update to jdk-21.0.10+7 (GA) +- Update release notes to 21.0.10+7 +- Bump libpng version to 1.6.51 following JDK-8372534 +- Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT +- Add test to ensure blocked.certs is valid (OPENJDK-4362) +- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh +- Resolves: OPENJDK-4273 +- Resolves: OPENJDK-4281 +- Resolves: OPENJDK-4357 +- Resolves: OPENJDK-4397 +- Resolves: OPENJDK-4380 +- Resolves: OPENJDK-4388 +- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** + * Fri Oct 17 2025 Andrew Hughes - 1:21.0.9.0.10-1 - Update to jdk-21.0.9+10 (GA) - Update release notes to 21.0.9+10 diff --git a/SPECS/java-21-openjdk.spec b/SPECS/java-21-openjdk.spec index fc15dfa..af4f376 100644 --- a/SPECS/java-21-openjdk.spec +++ b/SPECS/java-21-openjdk.spec @@ -308,7 +308,7 @@ # New Version-String scheme-style defines %global featurever 21 %global interimver 0 -%global updatever 9 +%global updatever 10 %global patchver 0 # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. @@ -344,7 +344,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9203d50836c +%global fipsver a0fd6e8ed6e # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -365,8 +365,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 10 -%global rpmrelease 2 +%global buildver 7 +%global rpmrelease 1 # Settings used by the portable build %global portablerelease 1 # Portable suffix differs between RHEL and CentOS @@ -1438,6 +1438,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +# OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# @@ -1543,7 +1544,7 @@ Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.47 +Provides: bundled(libpng) = 1.6.51 # Version in src/java.base/share/native/libzip/zlib/zlib.h Provides: bundled(zlib) = 1.3.1 %endif @@ -2567,6 +2568,21 @@ cjc.mainProgram(args) %endif %changelog +* Sun Jan 18 2026 Andrew Hughes - 1:21.0.10.0.7-1 +- Update to jdk-21.0.10+7 (GA) +- Update release notes to 21.0.10+7 +- Bump libpng version to 1.6.51 following JDK-8372534 +- Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT +- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh +- Sync the copy of the portable specfile with the latest update +- Resolves: RHEL-142859 +- Resolves: RHEL-139560 +- Resolves: RHEL-131592 +- Resolves: RHEL-131602 +- Resolves: RHEL-122121 +- Resolves: RHEL-142820 +- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** + * Sat Oct 18 2025 Andrew Hughes - 1:21.0.9.0.10-2 - Bump rpmrelease for CentOS build - Add scripts to handle tagging of portable-based RPMs