SUSE-SU-2026:21608-1: moderate: Security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu
SLE-UPDATES
null at suse.de
Fri May 15 08:31:00 UTC 2026
# Security update for ongres-scram, ongres-stringprep, plexus-testing, maven,
maven-doxia, mojo-parent, sisu
Announcement ID: SUSE-SU-2026:21608-1
Release Date: 2026-05-12T12:36:08Z
Rating: moderate
References:
* bsc#1250399
Cross-References:
* CVE-2025-59432
CVSS scores:
* CVE-2025-59432 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-59432 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2025-59432 ( NVD ): 6.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves one vulnerability can now be installed.
## Description:
This update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-
doxia, mojo-parent, sisu fixes the following issues:
Changes in ongres-scram:
* Version 3.2
* Fix Timing Attack Vulnerability in SCRAM Authentication (bsc#1250399,
CVE-2025-59432)
* Updated dependencies and maven plugins
* Use central-publishing-maven-plugin to deploy to Maven Central.
* Do not create multirelease jar if the only Java 9+ class file is module-
info.class
Changes in ongres-stringprep:
* Do not create multirelease jar if the only Java 9+ class file is module-
info.class
Changes in plexus-testing:
* The build without tests does not need the full junit5; the junit5-minimal
(built with ant) is enough
Changes in maven:
* Upgrade to upstream version 3.9.14
* Bug Fixes
* plexus-testing dependencies should be used in test scope
* Upgrade to upstream version 3.9.13
* Bug Fixes
* Bug: SecDispatcher is managed by legacy Plexus DI
* [3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8 Java version in ranges as well
* Maintenance
* Update Maven plugin versions in default-bindings.xml
* Migrate to JUnit 5 - avoid using TestCase
Changes in maven-doxia:
Upgrade to upstream version 2.1.0:
* New features and improvements
* Distinguish between linebreaks for formatting markup and linebreaks in output
* Return SinkEventAttributes instead of super class MutableAttributeSet for filterAttributes
* Optionally leave fragments of internal links untouched Support strikethrough for Markdown sink
* DOXIA-770: Only escape when necessary
* DOXIA-760: Clarify table justification semantics and introduce new "JUSTIFY_DEFAULT" alignment
* DOXIA-756: Allow to customize macro execution
* DOXIA-759: Support anchors in MarkdownSink
* Bug Fixes
* MarkdownSink: Fix verbatim inside table cell
* Make sure to emit metadata prior everything else
* Convert all globally available attributes to HTML5 compliant ones
* Html5BaseSink: Convert non-compliant HTML5 attributes to compliant ones
* Support "name" attribute in "a" element still in XHTML5
* Never emit Markdown inside HTML context
* Use JSoup to convert HTML to XHTML after parsing with Flexmark
* DOXIA-764: Strip leading newline after
* DOXIA-763: Distinguish between verbatim source and non-source in MarkdownSink
* DOXIA-758: Consider emitComments flag in MarkdownSink
* DOXIA-757: Don't strip leading "#" from link names
* DOXIA-753: Do not end lists with a blank line
* DOXIA-751: Linked inline code must be emitted in right order
* DOXIA-749: Correctly indent and separate blocks inside list items
* DOXIA-750: Properly apply inlines inside HTML blocks
* DOXIA-747: Emit headings at beginning of line for Markdown
* Documentation updates
* Site: Convert APT to Markdown
* Improve documentation of supported extensions
* (doc) Fix missing references in JavaDocs
* Maintenance
* Cleanup tests
* JUnit Jupiter best practices
* Remove commons-lang3 and commons-text dependencies
* feat: enable prevent branch protection rules
* Cleanup pom, remove redundant dependencies
* Drop almost all usages of plexus-utils
* Remove not used and outdated clirr-maven-plugin
* Enable Github Issues
* DOXIA-772: Deprecate Sink.sectionTitle() and sectionTitle_()
* DOXIA-754: Clarify method order for nested lists
Changes in mojo-parent:
* Do not import junit-bom in the parent. This creates unnecessary build cycles
with junit5.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-733=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-733=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (noarch)
* maven-doxia-module-xdoc-2.1.0-160000.1.1
* mojo-parent-82-160000.3.1
* maven-javadoc-3.9.14-160000.1.1
* xmvn-mojo-javadoc-4.3.0-160000.3.1
* maven-doxia-javadoc-2.1.0-160000.1.1
* xmvn-install-4.3.0-160000.3.1
* xmvn-resolve-4.3.0-160000.3.1
* xmvn-tools-javadoc-4.3.0-160000.3.1
* sisu-mojos-1.0.0-160000.2.1
* xmvn-core-4.3.0-160000.3.1
* maven-doxia-test-docs-2.1.0-160000.1.1
* ongres-stringprep-javadoc-2.2-160000.3.1
* maven-doxia-sink-api-2.1.0-160000.1.1
* sisu-inject-1.0.0-160000.2.1
* xmvn-parent-4.3.0-160000.3.1
* xmvn-subst-4.3.0-160000.3.1
* maven-doxia-module-apt-2.1.0-160000.1.1
* maven-doxia-module-xhtml5-2.1.0-160000.1.1
* xmvn-mojo-4.3.0-160000.3.1
* xmvn-connector-4.3.0-160000.3.1
* ongres-stringprep-2.2-160000.3.1
* ongres-scram-javadoc-3.2-160000.4.1
* sisu-mojos-javadoc-1.0.0-160000.2.1
* sisu-javadoc-1.0.0-160000.2.1
* maven-doxia-module-fml-2.1.0-160000.1.1
* xmvn-api-4.3.0-160000.3.1
* xmvn-connector-javadoc-4.3.0-160000.3.1
* ongres-scram-3.2-160000.4.1
* ongres-scram-client-3.2-160000.4.1
* sisu-plexus-1.0.0-160000.2.1
* maven-doxia-core-2.1.0-160000.1.1
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* xmvn-4.3.0-160000.3.3
* maven-3.9.14-160000.1.1
* xmvn-minimal-4.3.0-160000.3.3
* maven-lib-3.9.14-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* maven-doxia-module-xdoc-2.1.0-160000.1.1
* mojo-parent-82-160000.3.1
* maven-javadoc-3.9.14-160000.1.1
* xmvn-mojo-javadoc-4.3.0-160000.3.1
* maven-doxia-javadoc-2.1.0-160000.1.1
* xmvn-install-4.3.0-160000.3.1
* xmvn-resolve-4.3.0-160000.3.1
* xmvn-tools-javadoc-4.3.0-160000.3.1
* sisu-mojos-1.0.0-160000.2.1
* xmvn-core-4.3.0-160000.3.1
* maven-doxia-test-docs-2.1.0-160000.1.1
* ongres-stringprep-javadoc-2.2-160000.3.1
* maven-doxia-sink-api-2.1.0-160000.1.1
* sisu-inject-1.0.0-160000.2.1
* xmvn-parent-4.3.0-160000.3.1
* xmvn-subst-4.3.0-160000.3.1
* maven-doxia-module-apt-2.1.0-160000.1.1
* maven-doxia-module-xhtml5-2.1.0-160000.1.1
* xmvn-mojo-4.3.0-160000.3.1
* xmvn-connector-4.3.0-160000.3.1
* ongres-stringprep-2.2-160000.3.1
* ongres-scram-javadoc-3.2-160000.4.1
* sisu-mojos-javadoc-1.0.0-160000.2.1
* sisu-javadoc-1.0.0-160000.2.1
* maven-doxia-module-fml-2.1.0-160000.1.1
* xmvn-api-4.3.0-160000.3.1
* xmvn-connector-javadoc-4.3.0-160000.3.1
* ongres-scram-3.2-160000.4.1
* ongres-scram-client-3.2-160000.4.1
* sisu-plexus-1.0.0-160000.2.1
* maven-doxia-core-2.1.0-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* xmvn-4.3.0-160000.3.3
* maven-3.9.14-160000.1.1
* xmvn-minimal-4.3.0-160000.3.3
* maven-lib-3.9.14-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-59432.html
* https://bugzilla.suse.com/show_bug.cgi?id=1250399
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260515/6b11d525/attachment.htm>
More information about the sle-updates
mailing list