SUSE-SU-2025:02563-1: important: Security update for java-11-openjdk

SLE-UPDATES null at suse.de
Thu Jul 31 08:30:37 UTC 2025



# Security update for java-11-openjdk

Announcement ID: SUSE-SU-2025:02563-1  
Release Date: 2025-07-31T02:15:55Z  
Rating: important  
References:

  * bsc#1246575
  * bsc#1246580
  * bsc#1246584
  * bsc#1246595
  * bsc#1246598

  
Cross-References:

  * CVE-2025-30749
  * CVE-2025-30754
  * CVE-2025-30761
  * CVE-2025-50059
  * CVE-2025-50106

  
CVSS scores:

  * CVE-2025-30749 ( SUSE ):  8.3
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-30749 ( SUSE ):  7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
  * CVE-2025-30749 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-30754 ( SUSE ):  6.3
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2025-30754 ( SUSE ):  4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2025-30754 ( NVD ):  4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2025-30761 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2025-30761 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2025-50059 ( SUSE ):  8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  * CVE-2025-50059 ( NVD ):  8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  * CVE-2025-50106 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-50106 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5

  
  
An update that solves five vulnerabilities can now be installed.

## Description:

This update for java-11-openjdk fixes the following issues:

Upgrade to upstream tag jdk-11.0.28+6 (July 2025 CPU):

Security fixes:

  * CVE-2025-30749: several scenarios can lead to heap corruption (bsc#1246595)
  * CVE-2025-30754: incomplete handshake may lead to weakening TLS protections
    (bsc#1246598)
  * CVE-2025-30761: Improve scripting supports (bsc#1246580)
  * CVE-2025-50059: Improve HTTP client header handling (bsc#1246575)
  * CVE-2025-50106: Glyph out-of-memory access and crash (bsc#1246584)

Changelog:

    
    
    + JDK-8026976: ECParameters, Point does not match field size
    + JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong
      value
    + JDK-8231058: VerifyOops crashes with assert(_offset >= 0)
      failed: offset for non comment?
    + JDK-8232625: HttpClient redirect policy should be more
      conservative
    + JDK-8258483: [TESTBUG] gtest
      CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is
      too small
    + JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are
      problematic
    + JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
    + JDK-8301753: AppendFile/WriteFile has differences between make
      3.81 and 4+
    + JDK-8303770: Remove Baltimore root certificate expiring in May
      2025
    + JDK-8315380: AsyncGetCallTrace crash in frame::safe_for_sender
    + JDK-8327476: Upgrade JLine to 3.26.1
    + JDK-8328957: Update PKCS11Test.java to not use hardcoded path
    + JDK-8331959: Update PKCS#11 Cryptographic Token Interface to
      v3.1
    + JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm
      gtest fails on ppc64 based platforms
    + JDK-8339728: [Accessibility,Windows,JAWS] Bug in the
      getKeyChar method of the AccessBridge class
    + JDK-8345133: Test sun/security/tools/jarsigner/
      /TsacertOptionTest.java failed: Warning found in stdout
    + JDK-8345625: Better HTTP connections
    + JDK-8346887: DrawFocusRect() may cause an assertion failure
    + JDK-8347629: Test FailOverDirectExecutionControlTest.java
      fails with -Xcomp
    + JDK-8348110: Update LCMS to 2.17
    + JDK-8348596: Update FreeType to 2.13.3
    + JDK-8348598: Update Libpng to 1.6.47
    + JDK-8348989: Better Glyph drawing
    + JDK-8349111: Enhance Swing supports
    + JDK-8349594: Enhance TLS protocol support
    + JDK-8350469: [11u] Test AbsPathsInImage.java fails
      - JDK-8239429 public clone
    + JDK-8350498: Remove two Camerfirma root CA certificates
    + JDK-8350991: Improve HTTP client header handling
    + JDK-8351099: Bump update version of OpenJDK: 11.0.28
    + JDK-8351422: Improve scripting supports
    + JDK-8352302: Test sun/security/tools/jarsigner/
      /TimestampCheck.java is failing
    + JDK-8352716: (tz) Update Timezone Data to 2025b
    + JDK-8356096: ISO 4217 Amendment 179 Update
    + JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS
    + JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
    + JDK-8360147: Better Glyph drawing redux
    

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 12 SP5 LTSS  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2563=1

  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2563=1

## Package List:

  * SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
    * java-11-openjdk-debuginfo-11.0.28.0-3.90.1
    * java-11-openjdk-debugsource-11.0.28.0-3.90.1
    * java-11-openjdk-11.0.28.0-3.90.1
    * java-11-openjdk-demo-11.0.28.0-3.90.1
    * java-11-openjdk-headless-11.0.28.0-3.90.1
    * java-11-openjdk-devel-11.0.28.0-3.90.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
    * java-11-openjdk-debuginfo-11.0.28.0-3.90.1
    * java-11-openjdk-debugsource-11.0.28.0-3.90.1
    * java-11-openjdk-11.0.28.0-3.90.1
    * java-11-openjdk-demo-11.0.28.0-3.90.1
    * java-11-openjdk-headless-11.0.28.0-3.90.1
    * java-11-openjdk-devel-11.0.28.0-3.90.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-30749.html
  * https://www.suse.com/security/cve/CVE-2025-30754.html
  * https://www.suse.com/security/cve/CVE-2025-30761.html
  * https://www.suse.com/security/cve/CVE-2025-50059.html
  * https://www.suse.com/security/cve/CVE-2025-50106.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1246575
  * https://bugzilla.suse.com/show_bug.cgi?id=1246580
  * https://bugzilla.suse.com/show_bug.cgi?id=1246584
  * https://bugzilla.suse.com/show_bug.cgi?id=1246595
  * https://bugzilla.suse.com/show_bug.cgi?id=1246598

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250731/c1971121/attachment.htm>


More information about the sle-updates mailing list