.gitignore

@@ -42,4 +42,3 @@
 /openjdk-21.0.9+10.tar.xz
 /openjdk-21.0.10+6-ea.tar.xz
 /openjdk-21.0.10+7.tar.xz
-/openjdk-21.0.11+10.tar.xz

NEWS

@@ -3,297 +3,6 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
-New in release OpenJDK 21.0.11 (2026-04-21):
-===========================================
-Live versions of these release notes can be found at:
-  * https://bit.ly/openjdk2111
-
-* CVEs
-  - CVE-2026-22007
-  - CVE-2026-22013
-  - CVE-2026-22016
-  - CVE-2026-22018
-  - CVE-2026-22021
-  - CVE-2026-23865
-  - CVE-2026-34268
-  - CVE-2026-34282
-* Changes
-  - JDK-6899304: java.awt.Toolkit.getScreenInsets(GraphicsConfiguration) returns incorrect values
-  - JDK-8030957: AIX: Implement OperatingSystemMXBean.getSystemCpuLoad() and .getProcessCpuLoad() on AIX
-  - JDK-8075917: The regression-swing case failed as the text on label is not painted red with the GTK L&F
-  - JDK-8114830: (fs) Files.copy fails due to interference from something else changing the file system
-  - JDK-8244336: Restrict algorithms at JCE layer
-  - JDK-8256289: java/awt/Focus/AppletInitialFocusTest/AppletInitialFocusTest1.java failed with "RuntimeException: Wrong focus owner: java.awt.Button[button1,41,36,56x23,label=Button1]"
-  - JDK-8287062: com/sun/jndi/ldap/LdapPoolTimeoutTest.java failed due to different timeout message
-  - JDK-8298153: Colored text is not shown on disabled checkbox and radio button with GTK LAF for bug4314194
-  - JDK-8301875: java.util.TimeZone.getSystemTimeZoneID uses C library default file mode
-  - JDK-8313319: [linux] mmap should use MAP_FIXED_NOREPLACE if available
-  - JDK-8314555: Build with mawk fails on Windows
-  - JDK-8314810: (fs) java/nio/file/Files/CopyInterference.java should use TestUtil::supportsLinks
-  - JDK-8316274: javax/swing/ButtonGroup/TestButtonGroupFocusTraversal.java fails in Ubuntu 23.10 with Motif LAF
-  - JDK-8317633: Modernize text.testlib.HexDumpReader
-  - JDK-8317801: java/net/Socket/asyncClose/Race.java fails intermittently (aix)
-  - JDK-8317838: java/nio/channels/Channels/SocketChannelStreams.java running into timeout (aix)
-  - JDK-8318302: ThreadCountLimit.java failed with "Native memory allocation (mprotect) failed to protect 16384 bytes for memory to guard stack pages"
-  - JDK-8326897: (fs) The utility TestUtil.supportsLinks is wrongly used to check for hard link support
-  - JDK-8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
-  - JDK-8328608: Multiple NewSessionTicket support for TLS
-  - JDK-8329337: Problem list BufferStrategyExceptionTest.java on Windows
-  - JDK-8330016: Stress seed should be initialized for runtime stub compilation
-  - JDK-8331431: Update to use jtreg 7.4
-  - JDK-8333386: TestAbortOnVMOperationTimeout test fails for client VM
-  - JDK-8333857: Test sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java failed: Existing session was used
-  - JDK-8334670: SSLSocketOutputRecord buffer miscalculation
-  - JDK-8334738: os::print_hex_dump should optionally print ASCII
-  - JDK-8335646: Nimbus : JLabel not painted with LAF defined foreground color on Ubuntu 24.04
-  - JDK-8335906: [s390x] Test Failure: GTestWrapper.java
-  - JDK-8336695: Update Commons BCEL to Version 6.10.0
-  - JDK-8337102: JITTester: Fix breaks in static initialization blocks
-  - JDK-8339238: Update to use jtreg 7.5.1
-  - JDK-8339271: giflib attribution correction
-  - JDK-8339791: Refactor MiscUndecorated/ActiveAWTWindowTest.java
-  - JDK-8341246: Test com/sun/tools/attach/PermissionTest.java fails access denied after JDK-8327114
-  - JDK-8341310: Test TestJcmdWithSideCar.java should skip ACCESS_TMP_VIA_PROC_ROOT (after JDK-8327114)
-  - JDK-8342175: MemoryEaterMT fails intermittently with ExceptionInInitializerError
-  - JDK-8342449: reimplement: JDK-8327114 Attach in Linux may have wrong behavior when pid == ns_pid
-  - JDK-8343234: (bf) Move java/nio/Buffer/LimitDirectMemory.java from ProblemList.txt to ProblemList-Virtual.txt
-  - JDK-8343377: Performance regression in reflective invocation of native methods
-  - JDK-8343622: AesDkCrypto.stringToKey should not return null
-  - JDK-8345578: New test in JDK-8343622 fails with a promoted build
-  - JDK-8345668: ZoneOffset.ofTotalSeconds performance regression
-  - JDK-8346048: test/lib/containers/docker/DockerRunOptions.java uses addJavaOpts() from ctor
-  - JDK-8346962: Test CRLReadTimeout.java fails with -Xcomp on a fastdebug build
-  - JDK-8347475: GTK: javax/swing/JColorChooser/Test8152419.java there are no swatches or RGB tab in JColorChooser
-  - JDK-8348014: Enhance certificate processing
-  - JDK-8348309: MultiNST tests need more debugging and timing
-  - JDK-8349351: Combine Screen Inset Tests into a Single File
-  - JDK-8350103: Test containers/systemd/SystemdMemoryAwarenessTest.java fails on Linux ppc64le SLES15 SP6
-  - JDK-8351000: StringBuilder getChar and putChar robustness
-  - JDK-8351458: (ch) Move preClose to UnixDispatcher
-  - JDK-8351639: Improve debuggability of test/langtools/jdk/jshell/JdiHangingListenExecutionControlTest.java test
-  - JDK-8353755: Add a helper method to Util - findComponent()
-  - JDK-8354057: Odd debug output in -Xlog:os+container=debug on certain systems
-  - JDK-8354145: G1: UseCompressedOops boundary is calculated on maximum heap region size instead of maxiumum ergonomic heap region size
-  - JDK-8354219: Automate javax/swing/JComboBox/ComboPopupBug.java
-  - JDK-8354469: Keytool exposes the password in plain text when command is piped using | grep
-  - JDK-8354559: gc/g1/TestAllocationFailure.java doesn't need WB API
-  - JDK-8354878: File Leak in CgroupSubsystemFactory::determine_type of cgroupSubsystem_linux.cpp:300
-  - JDK-8354922: ZGC: Use MAP_FIXED_NOREPLACE when reserving memory
-  - JDK-8355278: Improve debuggability of com/sun/jndi/ldap/LdapPoolTimeoutTest.java test
-  - JDK-8355445: [java.nio] Use @requires tag instead of exiting based on "os.name" property value
-  - JDK-8355632: WhiteBox.waitForReferenceProcessing() fails assert for return type
-  - JDK-8356107: [java.lang] Use @requires tag instead of exiting based on os.name or separatorChar property
-  - JDK-8357141: Update to use jtreg 7.5.2
-  - JDK-8357277: Update OpenSSL library for interop tests
-  - JDK-8357380: java/lang/StringBuilder/RacingSBThreads.java times out with C1
-  - JDK-8358077: sun.tools.attach.VirtualMachineImpl::checkCatchesAndSendQuitTo on Linux leaks file handles after JDK-8327114
-  - JDK-8358159: Empty mode/padding in cipher transformations
-  - JDK-8358751: C2: Recursive inlining check for compiled lambda forms is broken
-  - JDK-8359388: Stricter checking for cipher transformations
-  - JDK-8359827: Test runtime/Thread/ThreadCountLimit.java need loop increasing the limit
-  - JDK-8360539: DTLS handshakes fails due to improper cookie validation logic
-  - JDK-8361067: Test ExtraButtonDrag.java requires frame.dispose in finally block
-  - JDK-8361530: Test javax/swing/GraphicsConfigNotifier/StalePreferredSize.java timed out
-  - JDK-8361613: System.console() should only be available for interactive terminal
-  - JDK-8362834: Several runtime/Thread tests should mark as /native
-  - JDK-8363950: Incorrect jtreg header in TestLayoutVsICU.java
-  - JDK-8364373: Transform Affine transformations
-  - JDK-8364465: Enhance behavior of some intrinsics
-  - JDK-8364764: java/nio/channels/vthread/BlockingChannelOps.java subtests timed out
-  - JDK-8365526: Crash with null Symbol passed to SystemDictionary::resolve_or_null
-  - JDK-8365972: JFR: ThreadDump and ClassLoaderStatistics events may cause back to back rotations
-  - JDK-8366128: jdk/jdk/nio/zipfs/TestPosix.java::testJarFile uses wrong file
-  - JDK-8366261: Provide utility methods for sun.security.util.Password
-  - JDK-8366694: Test JdbStopInNotificationThreadTest.java timed out after 60 second
-  - JDK-8366817: test/jdk/javax/net/ssl/TLSCommon/interop/JdkProcServer.java and JdkProcClient.java should not delete logs
-  - JDK-8366850: Test com/sun/jdi/JdbStopInNotificationThreadTest.java failed
-  - JDK-8366866: SslRMIClientSocketFactory#createSocket lacking priviledges (securitymanger)
-  - JDK-8366938: Test runtime/handshake/HandshakeTimeoutTest.java crashed
-  - JDK-8367135: Test compiler/loopstripmining/CheckLoopStripMining.java needs internal timeouts adjusted
-  - JDK-8367583: sun/security/util/AlgorithmConstraints/InvalidCryptoDisabledAlgos.java fails after JDK-8244336
-  - JDK-8367772: Refactor createUI in PassFailJFrame
-  - JDK-8368683: [process] Increase jtreg debug output maxOutputSize for TreeTest
-  - JDK-8368787: Error reporting: hs_err files should show instructions when referencing code in nmethods
-  - JDK-8368882: NPE during text drawing on machine with JP locale
-  - JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
-  - JDK-8369575: Enhance crypto algorithm support
-  - JDK-8369858: Remove darcy author tags from jdk tests
-  - JDK-8369911: Test sun/java2d/marlin/ClipShapeTest.java#CubicDoDash, #Cubic and #Poly fail intermittent
-  - JDK-8370325: G1: Disallow GC for TLAB allocation
-  - JDK-8370529: Enhance Path Factories Redux
-  - JDK-8370572: Cgroups hierarchical memory limit is not honored after JDK-8322420
-  - JDK-8370579: PPC: fix inswri immediate argument order
-  - JDK-8370615: Improve Kerberos credentialing
-  - JDK-8370636: com/sun/jdi/TwoThreadsTest.java should wait for completion of all threads
-  - JDK-8370966: Create regression test for the hierarchical memory limit fix in JDK-8370572
-  - JDK-8370986: Enhance Zip file reading
-  - JDK-8370995: Enhance ZipFile usage
-  - JDK-8371103: vmTestbase/nsk/jvmti/scenarios/events/EM02/em02t006/TestDescription.java failing
-  - JDK-8371485: ProblemList awt/Mixing/AWT_Mixing/JTableInGlassPaneOverlapping.java for linux
-  - JDK-8371559: Intermittent timeouts in test javax/net/ssl/Stapling/HttpsUrlConnClient.java
-  - JDK-8371608: Jtreg test  jdk/internal/vm/Continuation/Fuzz.java sometimes fails with (fast)debug binaries
-  - JDK-8371830: Enhance certificate chain validation
-  - JDK-8371889: [21u] JFR: Deadlock in ThrowableTracer
-  - JDK-8371935: Enhance key generation
-  - JDK-8371978: tools/jar/ReproducibleJar.java fails on XFS
-  - JDK-8372048: Performance improvement on Linux remote desktop
-  - JDK-8372321: TestBackToBackSensitive fails intermittently after JDK-8365972
-  - JDK-8372348: Adjust some UL / JFR string deduplication output messages
-  - JDK-8372441: JFR: Improve logging of TestBackToBackSensitive
-  - JDK-8372464: Bump update version for OpenJDK: jdk-21.0.11
-  - JDK-8372710: Update ProcessBuilder/Basic regex
-  - JDK-8372756: Mouse additional buttons and horizontal scrolling are broken on XWayland GNOME >= 47 after JDK-8351907
-  - JDK-8372857: Improve debuggability of java/rmi/server/RemoteServer/AddrInUse.java test
-  - JDK-8372977: Unnecessary gthread-2.0 loading
-  - JDK-8372988: Test runtime/Nestmates/membership/TestNestHostErrorWithMultiThread.java failed: Unexpected interrupt
-  - JDK-8373290: Update FreeType to 2.14.1
-  - JDK-8373476: (tz) Update Timezone Data to 2025c
-  - JDK-8373525: C2: assert(_base == Long) failed: Not a Long
-  - JDK-8373727: New XBM images parser regression: only the first line of the bitmap array is parsed
-  - JDK-8374056: RISC-V: Fix argument passing for the RiscvFlushIcache::flush
-  - JDK-8374178: Missing include in systemDictionary.cpp after JDK-8365526
-  - JDK-8374209: [17u,21u] Backout JDK-8361748 due to JDK-8373727
-  - JDK-8374433: java/util/Locale/PreserveTagCase.java does not run any tests
-  - JDK-8374555: No need for visible input warning in s.s.u.Password when not reading from System.in
-  - JDK-8374557: Enhance TLS connection handling
-  - JDK-8374642: EscapeHash macro fails with GNU make 4.3 and 4.4
-  - JDK-8375057: Update HarfBuzz to 12.3.2
-  - JDK-8375063: Update Libpng to 1.6.54
-  - JDK-8375530: PPC64: incorrect quick verify_method_data_pointer check causes poor performance in debug build
-  - JDK-8375549: ConcurrentModificationException if jdk.crypto.disabledAlgorithms has multiple entries with known oid
-  - JDK-8375999: com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails sporadically on Windows
-  - JDK-8376251: [macos] java/awt/Frame/I18NTitle.java fails on MacOS (JDK-8355884)
-  - JDK-8376270: [21u, 17u] Redo JDK-8361748: Enforce limits on the size of an XBM image
-  - JDK-8377509: Add licenses for gcc 14.2.0
-  - JDK-8377526: Update Libpng to 1.6.55
-  - JDK-8377905: gcc.md included with every build
-  - JDK-8378218: MSYS2 reports cygwin triplet causing bash configure failure
-  - JDK-8378631: Update Zlib Data Compression Library to Version 1.3.2
-  - JDK-8378823: AIX build fails after zlib updated by JDK-8378631
-  - JDK-8378853: [25u] Make backport of JDK-8244336 comply with differences in CSR
-  - JDK-8379035: (tz) Update Timezone Data to 2026a
-  - JDK-8379158: Update FreeType to 2.14.2
-  - JDK-8379256: Update GIFlib to 6.1.1
-  - JDK-8380078: Update GIFlib to 6.1.2
-  - JDK-8380959: Update Libpng to 1.6.56
-  - JDK-8382047: Update Libpng to 1.6.57
-  - JDK-8382439: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.11
-
-Notes on individual issues:
-===========================
-
-security-libs/javax.net.ssl:
-
-JDK-8328608: Multiple NewSessionTicket support for TLS
-======================================================
-With this release of OpenJDK, the number of TLSv1.3 resumption tickets
-sent by a JSSE server per session can now be configured.  The new
-system property `jdk.tls.server.newSessionTicketCount` can be set to a
-value in the range 0 to 10.  The default is 1, which will also be used
-if an invalid value is specified for the property.
-
-JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
-===============================================================================
-In accordance with similar plans recently announced by Google and
-Mozilla, the JDK will not trust Transport Layer Security (TLS)
-certificates issued after the 17th of March 2026 which are anchored by
-Chungwa root certificates.
-
-Certificates issued on or before the 17th of March, 2026 will continue
-to be trusted until they expire.
-
-If a server's certificate chain is anchored by an affected
-certificate, attempts to negotiate a TLS session will fail with an
-Exception that indicates the trust anchor is not trusted. For example,
-
-"TLS server certificate issued after 2026-03-17 and anchored by a
-distrusted legacy Chungwa root CA: OU=ePKI Root Certification
-Authority, O="Chunghwa Telecom Co.", Ltd. C=TW"
-
-To check whether a certificate in a JDK keystore is affected by this
-change, you can the `keytool` utility:
-
-keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
-
-If any of the certificates in the chain are affected by this change,
-then you will need to update the certificate or contact the
-organisation responsible for managing the certificate.
-
-These restrictions apply to the following Chungwa root certificates
-included in the JDK:
-
-Alias name: chunghwaepkirootca
-OU=ePKI Root Certification Authority
-O="Chunghwa Telecom Co., Ltd."
-C=TW
-SHA256:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5
-
-Users can, *at their own risk*, remove this restriction by modifying
-the `java.security` configuration file (or override it by using the
-`java.security.properties` system property) so "CHUNGWA_TLS" is no
-longer listed in the `jdk.security.caDistrustPolicies` security
-property.
-
-hotspot/jfr:
-
-JDK-8365972: JFR: ThreadDump and ClassLoaderStatistics events may cause back to back rotations
-==============================================================================================
-In previous OpenJDK releases, the `jdk.ThreadDump` and
-`jdk.ClassLoaderStatistics` events were written at the beginning of a
-new file created by a file rotation.  However, in applications with
-many threads (typically more than a thousand), deep Java stacks
-(typically more than three hundred frames) or many class loaders
-(typically hundreds of thousands), the size of these events alone
-could trigger a further file rotation within one second.  This causes
-other relevant data to be flushed out very quickly (e.g. about fifteen
-seconds if using the default 250MB max file size).  In this release,
-these events are only written when a recording starts and at the end
-of a file rotation.
-
-security-libs/java.security:
-
-JDK-8244336: Restrict algorithms at JCE layer
-=============================================
-A security property named `jdk.crypto.disabledAlgorithms` has been
-added that can be used to disable JCE/JCA cryptographic services. The
-property accepts a comma-separated list of services, specified as
-Service.AlgorithName.  The current list of supported services is
-`Cipher`, `KeyStore`, `MessageDigest` and `Signature`.  Algorithms
-should be drawn from those specified by the Java Security Standard
-Algorithm Names Specification [0].  For example:
-
-jdk.crypto.disabledAlgorithms=Cipher.RSA/ECB/PKCS1Padding, MessageDigest.MD2
-
-would disable the RSA cipher when used with the ECB cipher algorithm
-mode and PKCS #1 algorithm padding, and the MD2 message digest
-algorithm.
-
-The default value for this security property is empty, which means
-that no algorithms are disabled out-of-the-box.  The value of the
-security property specified in `java.security` can be overridden by
-specifying a system property of the same name,
-`jdk.crypto.disabledAlgorithms`.  With the above example in place in
-`java.security`, running `java` as:
-
-$ java -Djdk.crypto.disabledAlgorithms=
-
-would cause these algorithms to be enabled for that run of the Java
-virtual machine.
-
-[0] https://docs.oracle.com/en/java/javase/25/docs/specs/security/standard-names.html
-
-JDK-8354469: Keytool exposes the password in plain text when command is piped using | grep
-==========================================================================================
-The `keytool` and `jarsigner` commands read passwords using the system
-console with echoing disabled to avoid them being displayed on screen.
-However, the system console is usually only available when both the
-standard input and standard output have *not* been redirected.  In
-previous OpenJDK releases, running these tools with input or output
-redirected would cause the password to be echoed to the screen in
-plain text.  With this release, echoing no longer takes place in such
-scenarios when using these tools or the JAAS `TextCallbackHandler`
-API.
-
 New in release OpenJDK 21.0.10 (2026-01-20):
 ===========================================
 Live versions of these release notes can be found at:

fips-21u-a0fd6e8ed6e.patch

@@ -208,7 +208,7 @@ index 1e0f66726d0..59fe923f2c5 100644
  # Create the symbols file for static builds.
  
 diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
-index 6a4e28372e5..6d06f69c50f 100644
+index 10093137151..b023c63ae58 100644
 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
 +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
 @@ -31,6 +31,7 @@ import java.security.SecureRandom;
@@ -230,16 +230,10 @@ index 6a4e28372e5..6d06f69c50f 100644
      @java.io.Serial
      private static final long serialVersionUID = 6812507587804302833L;
  
-@@ -147,301 +152,302 @@ public final class SunJCE extends Provider {
+@@ -147,298 +152,299 @@ public final class SunJCE extends Provider {
      void putEntries() {
          // reuse attribute map and reset before each reuse
          HashMap<String, String> attrs = new HashMap<>(3);
--        attrs.put("SupportedKeyClasses",
--                "java.security.interfaces.RSAPublicKey" +
--                "|java.security.interfaces.RSAPrivateKey");
--        ps("Signature", "NONEwithRSA",
--                "com.sun.crypto.provider.RSACipherAdaptor", null, attrs);
--        // continue adding cipher specific attributes
 -        attrs.put("SupportedModes", "ECB");
 -        attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
 -                + "|OAEPWITHMD5ANDMGF1PADDING"
@@ -251,6 +245,9 @@ index 6a4e28372e5..6d06f69c50f 100644
 -                + "|OAEPWITHSHA-512ANDMGF1PADDING"
 -                + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
 -                + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
+-        attrs.put("SupportedKeyClasses",
+-                "java.security.interfaces.RSAPublicKey" +
+-                "|java.security.interfaces.RSAPrivateKey");
 -        ps("Cipher", "RSA",
 -                "com.sun.crypto.provider.RSACipher", null, attrs);
 -
@@ -530,12 +527,6 @@ index 6a4e28372e5..6d06f69c50f 100644
 -                "com.sun.crypto.provider.DHKeyPairGenerator",
 -                null);
 +        if (!systemFipsEnabled) {
-+            attrs.put("SupportedKeyClasses",
-+                    "java.security.interfaces.RSAPublicKey" +
-+                    "|java.security.interfaces.RSAPrivateKey");
-+            ps("Signature", "NONEwithRSA",
-+               "com.sun.crypto.provider.RSACipherAdaptor", null, attrs);
-+            // continue adding cipher specific attributes
 +            attrs.put("SupportedModes", "ECB");
 +            attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
 +                    + "|OAEPWITHMD5ANDMGF1PADDING"
@@ -547,6 +538,9 @@ index 6a4e28372e5..6d06f69c50f 100644
 +                    + "|OAEPWITHSHA-512ANDMGF1PADDING"
 +                    + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
 +                    + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
++            attrs.put("SupportedKeyClasses",
++                    "java.security.interfaces.RSAPublicKey" +
++                    "|java.security.interfaces.RSAPrivateKey");
 +            ps("Cipher", "RSA",
 +                    "com.sun.crypto.provider.RSACipher", null, attrs);
 +
@@ -828,7 +822,7 @@ index 6a4e28372e5..6d06f69c50f 100644
  
          /*
           * Algorithm parameter generation engines
-@@ -450,15 +456,17 @@ public final class SunJCE extends Provider {
+@@ -447,15 +453,17 @@ public final class SunJCE extends Provider {
                  "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
                  null);
  
@@ -855,7 +849,7 @@ index 6a4e28372e5..6d06f69c50f 100644
  
          /*
           * Algorithm Parameter engines
-@@ -628,10 +636,10 @@ public final class SunJCE extends Provider {
+@@ -625,10 +633,10 @@ public final class SunJCE extends Provider {
                  "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
  
          ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128",
@@ -868,7 +862,7 @@ index 6a4e28372e5..6d06f69c50f 100644
  
          ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
                  "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
-@@ -654,136 +662,137 @@ public final class SunJCE extends Provider {
+@@ -651,136 +659,137 @@ public final class SunJCE extends Provider {
          ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256",
                  "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256");
  
@@ -1985,7 +1979,7 @@ index 539ef1e8ee8..435f57e3ff2 100644
                  "sun.security.rsa.PSSParameters", null);
      }
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index be473e3f895..1d5cb17e492 100644
+index 6b0fd201b9b..2af4e3a3e21 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
 @@ -85,6 +85,17 @@ security.provider.tbd=Apple
@@ -3017,7 +3011,7 @@ index f8dd5a71c2c..6423805d164 100644
  }
 -
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index aaafc373f80..6466581f4ae 100644
+index 0a62021633f..0723b69c2bc 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 @@ -26,6 +26,9 @@
@@ -3147,7 +3141,7 @@ index aaafc373f80..6466581f4ae 100644
              }
              p11 = tmpPKCS11;
  
-@@ -1390,11 +1462,52 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1388,11 +1460,52 @@ public final class SunPKCS11 extends AuthProvider {
          }
  
          @Override
@@ -3200,7 +3194,7 @@ index aaafc373f80..6466581f4ae 100644
              try {
                  return newInstance0(param);
              } catch (PKCS11Exception e) {
-@@ -1753,6 +1866,9 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1749,6 +1862,9 @@ public final class SunPKCS11 extends AuthProvider {
          try {
              session = token.getOpSession();
              p11.C_Logout(session.id());

gating.yaml

@@ -1,7 +1,7 @@
 # recipients: java-qa
 --- !Policy
 product_versions:
-  - rhel-9
+  - rhel-10
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

java-21-openjdk-portable.specfile

@@ -329,7 +329,7 @@
 # New Version-String scheme-style defines
 %global featurever 21
 %global interimver 0
-%global updatever 11
+%global updatever 10
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -379,7 +379,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver feef2dc3ca7
+%global fipsver a0fd6e8ed6e
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 %global javaver         %{featurever}
@@ -393,7 +393,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        10
+%global buildver        7
 %global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -451,6 +451,11 @@
 %define jreportablearchive()  %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
 %define jdkportablearchive()  %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
 %define staticlibsportablearchive()  %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+# RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1}
+# so we have to pass in "" but evaluate it, otherwise files record will include it
+%define jreportablearchiveForFiles()  %(echo %{jreportablearchive -- ""})
+%define jdkportablearchiveForFiles()  %(echo %{jdkportablearchive -- ""})
+%define staticlibsportablearchiveForFiles()  %(echo %{staticlibsportablearchive -- ""})
 %define jreportablename()     %{expand:%{jreportablenameimpl -- %%{1}}}
 %define jdkportablename()     %{expand:%{jdkportablenameimpl -- %%{1}}}
 # Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
@@ -670,8 +675,7 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 #
 #############################################
 
-# JDK-8375294: (fs) Files.copy can fail with EOPNOTSUPP when copy_file_range not supported
+# Currently empty
-Patch2001: jdk8375294-handle-EOPNOTSUPP-in-copying.patch
 
 #############################################
 #
@@ -762,19 +766,19 @@ BuildRequires: libpng-devel
 BuildRequires: zlib-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.14.2
+Provides: bundled(freetype) = 2.13.3
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 6.1.2
+Provides: bundled(giflib) = 5.2.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 12.3.2
+Provides: bundled(harfbuzz) = 11.2.0
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.57
+Provides: bundled(libpng) = 1.6.51
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
-Provides: bundled(zlib) = 1.3.2
+Provides: bundled(zlib) = 1.3.1
 # We link statically against libstdc++ to increase portability
 %ifnarch %{devkit_arches}
 BuildRequires: libstdc++-static
@@ -992,8 +996,6 @@ sh %{SOURCE12} %{top_level_dir_name}
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
 %patch -P1001 -p1
-# Add EOPNOTSUPP patch
-%patch -P2001 -p1
 popd # openjdk
 
 
@@ -1881,8 +1883,8 @@ done
 
 %files
 # main package builds always
-%{_jvmdir}/%{jreportablearchive -- %%{nil}}
+%{_jvmdir}/%{jreportablearchiveForFiles}
-%{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum
+%{_jvmdir}/%{jreportablearchiveForFiles}.sha256sum
 %else
 %files
 # placeholder
@@ -1891,15 +1893,15 @@ done
 %if %{include_normal_build}
 
 %files devel
-%{_jvmdir}/%{jdkportablearchive -- %%{nil}}
+%{_jvmdir}/%{jdkportablearchiveForFiles}
 %{_jvmdir}/%{jdkportablearchive -- .debuginfo}
-%{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
+%{_jvmdir}/%{jdkportablearchiveForFiles}.sha256sum
 %{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
 
 %if %{include_staticlibs}
 %files static-libs
-%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}
+%{_jvmdir}/%{staticlibsportablearchiveForFiles}
-%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum
+%{_jvmdir}/%{staticlibsportablearchiveForFiles}.sha256sum
 %endif
 
 %files unstripped
@@ -1953,25 +1955,6 @@ done
 %endif
 
 %changelog
-* Sat Apr 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.11.0.10-1
-- Update to jdk-21.0.11+10 (GA)
-- Update release notes to 21.0.11+10
-- Update FIPS patch to feef2dc3ca7 version synced with 21.0.11+9 and adapted to JDK-8244336
-- Bump freetype version to 2.14.2 following JDK-8373290 & JDK-8379158
-- Bump giflib version to 6.1.2 following JDK-8379256 & JDK-8380078
-- Bump libpng version to 1.6.57 following JDK-8380959 & JDK-8382047
-- Bump zlib version to 1.3.2 following JDK-8378631
-- Add JDK-8375294 EOPNOTSUPP patch ahead of 21.0.13
-- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. **
-- Resolves: OPENJDK-4301
-- Resolves: OPENJDK-4521
-- Resolves: OPENJDK-4543
-- Resolves: OPENJDK-4550
-- Resolves: OPENJDK-4653
-- Resolves: OPENJDK-4631
-- Resolves: OPENJDK-4606
-- Resolves: OPENJDK-4676
-
 * Sun Jan 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.10.0.7-1
 - Update to jdk-21.0.10+7 (GA)
 - Update release notes to 21.0.10+7

java-21-openjdk.spec

@@ -0,0 +1 @@
+java-21-openjdk-portable.specfile

jdk8375294-handle-EOPNOTSUPP-in-copying.patch

@@ -1,47 +0,0 @@
-diff --git a/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c b/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-index 207e61431dc..7c3761a613c 100644
---- a/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-+++ b/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2000, 2026, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -63,7 +63,7 @@ Java_sun_nio_ch_FileDispatcherImpl_transferFrom0(JNIEnv *env, jobject this,
-     if (n < 0) {
-         if (errno == EAGAIN)
-             return IOS_UNAVAILABLE;
--        if (errno == ENOSYS)
-+        if (errno == ENOSYS || errno == EOPNOTSUPP)
-             return IOS_UNSUPPORTED_CASE;
-         if ((errno == EBADF || errno == EINVAL || errno == EXDEV) &&
-             ((ssize_t)count >= 0))
-@@ -103,6 +103,7 @@ Java_sun_nio_ch_FileDispatcherImpl_transferTo0(JNIEnv *env, jobject this,
-                 case EINVAL:
-                 case ENOSYS:
-                 case EXDEV:
-+                case EOPNOTSUPP:
-                     // ignore and try sendfile()
-                     break;
-                 default:
-diff --git a/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c b/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-index cf8592e1ced..5f14896ad24 100644
---- a/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-+++ b/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2008, 2022, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2008, 2026, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -199,6 +199,7 @@ Java_sun_nio_fs_LinuxNativeDispatcher_directCopy0
-                     case EINVAL:
-                     case ENOSYS:
-                     case EXDEV:
-+                    case EOPNOTSUPP:
-                         // ignore and try sendfile()
-                         break;
-                     default:

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-21.0.11+10.tar.xz) = 65f20c20040a146d5c7477536d7f479d79459fc676b0ed2df2aa42704e9c12e455e748704ee1dac60ef97014cb91136265f8fd4ee10d4673368db99b18dec61f
+SHA512 (openjdk-21.0.10+7.tar.xz) = 997bae911cd414ae226603f4bb76cae3914dfc324f3c955cb3a3ad767f873b0422d5328fab3813608c59cbe6ec6d6759165c0b1aa57fc6779e051e54729d35cd