<div class="container">
<h1>Security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:21608-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-12T12:36:08Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250399">bsc#1250399</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-59432.html">CVE-2025-59432</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-59432</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-59432</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-59432</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.6</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu fixes the following issues:</p>
<p>Changes in ongres-scram:</p>
<ul>
<li>Version 3.2</li>
<li>Fix Timing Attack Vulnerability in SCRAM Authentication
(bsc#1250399, CVE-2025-59432)</li>
<li>Updated dependencies and maven plugins</li>
<li>
<p>Use central-publishing-maven-plugin to deploy to Maven Central.</p>
</li>
<li>
<p>Do not create multirelease jar if the only Java 9+ class file is
module-info.class</p>
</li>
</ul>
<p>Changes in ongres-stringprep:</p>
<ul>
<li>Do not create multirelease jar if the only Java 9+ class file is
module-info.class</li>
</ul>
<p>Changes in plexus-testing:</p>
<ul>
<li>The build without tests does not need the full junit5; the
junit5-minimal (built with ant) is enough</li>
</ul>
<p>Changes in maven:</p>
<ul>
<li>
<p>Upgrade to upstream version 3.9.14</p>
</li>
<li>
<p>Bug Fixes</p>
<ul>
<li>plexus-testing dependencies should be used in test scope</li>
</ul>
</li>
<li>
<p>Upgrade to upstream version 3.9.13</p>
</li>
<li>
<p>Bug Fixes</p>
<ul>
<li>Bug: SecDispatcher is managed by legacy Plexus DI</li>
<li>[3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8
Java version in ranges as well</li>
</ul>
</li>
<li>
<p>Maintenance</p>
<ul>
<li>Update Maven plugin versions in default-bindings.xml</li>
<li>Migrate to JUnit 5 - avoid using TestCase</li>
</ul>
</li>
</ul>
<p>Changes in maven-doxia:</p>
<p>Upgrade to upstream version 2.1.0:</p>
<ul>
<li>
<p>New features and improvements</p>
<ul>
<li>Distinguish between linebreaks for formatting markup and
linebreaks in output</li>
<li>Return SinkEventAttributes instead of super class
MutableAttributeSet for filterAttributes</li>
<li>Optionally leave fragments of internal links untouched
Support strikethrough for Markdown sink</li>
<li>DOXIA-770: Only escape when necessary</li>
<li>DOXIA-760: Clarify table justification semantics and introduce
new "JUSTIFY_DEFAULT" alignment</li>
<li>DOXIA-756: Allow to customize macro execution</li>
<li>DOXIA-759: Support anchors in MarkdownSink</li>
</ul>
</li>
<li>
<p>Bug Fixes</p>
<ul>
<li>MarkdownSink: Fix verbatim inside table cell</li>
<li>Make sure to emit metadata prior everything else</li>
<li>Convert all globally available attributes to HTML5 compliant
ones</li>
<li>Html5BaseSink: Convert non-compliant HTML5 attributes to
compliant ones</li>
<li>Support "name" attribute in "a" element still in XHTML5</li>
<li>Never emit Markdown inside HTML context</li>
<li>Use JSoup to convert HTML to XHTML after parsing with Flexmark</li>
<li>DOXIA-764: Strip leading newline after</li>
<li>DOXIA-763: Distinguish between verbatim source and non-source
in MarkdownSink</li>
<li>DOXIA-758: Consider emitComments flag in MarkdownSink</li>
<li>DOXIA-757: Don't strip leading "#" from link names</li>
<li>DOXIA-753: Do not end lists with a blank line</li>
<li>DOXIA-751: Linked inline code must be emitted in right order</li>
<li>DOXIA-749: Correctly indent and separate blocks inside list
items</li>
<li>DOXIA-750: Properly apply inlines inside HTML blocks</li>
<li>DOXIA-747: Emit headings at beginning of line for Markdown</li>
</ul>
</li>
<li>
<p>Documentation updates</p>
<ul>
<li>Site: Convert APT to Markdown</li>
<li>Improve documentation of supported extensions</li>
<li>(doc) Fix missing references in JavaDocs</li>
</ul>
</li>
<li>
<p>Maintenance</p>
<ul>
<li>Cleanup tests</li>
<li>JUnit Jupiter best practices</li>
<li>Remove commons-lang3 and commons-text dependencies</li>
<li>feat: enable prevent branch protection rules</li>
<li>Cleanup pom, remove redundant dependencies</li>
<li>Drop almost all usages of plexus-utils</li>
<li>Remove not used and outdated clirr-maven-plugin</li>
<li>Enable Github Issues</li>
<li>DOXIA-772: Deprecate Sink.sectionTitle() and sectionTitle_()</li>
<li>DOXIA-754: Clarify method order for nested lists</li>
</ul>
</li>
</ul>
<p>Changes in mojo-parent:</p>
<ul>
<li>Do not import junit-bom in the parent. This creates unnecessary
build cycles with junit5.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-733=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-733=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>maven-doxia-module-xdoc-2.1.0-160000.1.1</li>
<li>mojo-parent-82-160000.3.1</li>
<li>maven-javadoc-3.9.14-160000.1.1</li>
<li>xmvn-mojo-javadoc-4.3.0-160000.3.1</li>
<li>maven-doxia-javadoc-2.1.0-160000.1.1</li>
<li>xmvn-install-4.3.0-160000.3.1</li>
<li>xmvn-resolve-4.3.0-160000.3.1</li>
<li>xmvn-tools-javadoc-4.3.0-160000.3.1</li>
<li>sisu-mojos-1.0.0-160000.2.1</li>
<li>xmvn-core-4.3.0-160000.3.1</li>
<li>maven-doxia-test-docs-2.1.0-160000.1.1</li>
<li>ongres-stringprep-javadoc-2.2-160000.3.1</li>
<li>maven-doxia-sink-api-2.1.0-160000.1.1</li>
<li>sisu-inject-1.0.0-160000.2.1</li>
<li>xmvn-parent-4.3.0-160000.3.1</li>
<li>xmvn-subst-4.3.0-160000.3.1</li>
<li>maven-doxia-module-apt-2.1.0-160000.1.1</li>
<li>maven-doxia-module-xhtml5-2.1.0-160000.1.1</li>
<li>xmvn-mojo-4.3.0-160000.3.1</li>
<li>xmvn-connector-4.3.0-160000.3.1</li>
<li>ongres-stringprep-2.2-160000.3.1</li>
<li>ongres-scram-javadoc-3.2-160000.4.1</li>
<li>sisu-mojos-javadoc-1.0.0-160000.2.1</li>
<li>sisu-javadoc-1.0.0-160000.2.1</li>
<li>maven-doxia-module-fml-2.1.0-160000.1.1</li>
<li>xmvn-api-4.3.0-160000.3.1</li>
<li>xmvn-connector-javadoc-4.3.0-160000.3.1</li>
<li>ongres-scram-3.2-160000.4.1</li>
<li>ongres-scram-client-3.2-160000.4.1</li>
<li>sisu-plexus-1.0.0-160000.2.1</li>
<li>maven-doxia-core-2.1.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>xmvn-4.3.0-160000.3.3</li>
<li>maven-3.9.14-160000.1.1</li>
<li>xmvn-minimal-4.3.0-160000.3.3</li>
<li>maven-lib-3.9.14-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
<ul>
<li>maven-doxia-module-xdoc-2.1.0-160000.1.1</li>
<li>mojo-parent-82-160000.3.1</li>
<li>maven-javadoc-3.9.14-160000.1.1</li>
<li>xmvn-mojo-javadoc-4.3.0-160000.3.1</li>
<li>maven-doxia-javadoc-2.1.0-160000.1.1</li>
<li>xmvn-install-4.3.0-160000.3.1</li>
<li>xmvn-resolve-4.3.0-160000.3.1</li>
<li>xmvn-tools-javadoc-4.3.0-160000.3.1</li>
<li>sisu-mojos-1.0.0-160000.2.1</li>
<li>xmvn-core-4.3.0-160000.3.1</li>
<li>maven-doxia-test-docs-2.1.0-160000.1.1</li>
<li>ongres-stringprep-javadoc-2.2-160000.3.1</li>
<li>maven-doxia-sink-api-2.1.0-160000.1.1</li>
<li>sisu-inject-1.0.0-160000.2.1</li>
<li>xmvn-parent-4.3.0-160000.3.1</li>
<li>xmvn-subst-4.3.0-160000.3.1</li>
<li>maven-doxia-module-apt-2.1.0-160000.1.1</li>
<li>maven-doxia-module-xhtml5-2.1.0-160000.1.1</li>
<li>xmvn-mojo-4.3.0-160000.3.1</li>
<li>xmvn-connector-4.3.0-160000.3.1</li>
<li>ongres-stringprep-2.2-160000.3.1</li>
<li>ongres-scram-javadoc-3.2-160000.4.1</li>
<li>sisu-mojos-javadoc-1.0.0-160000.2.1</li>
<li>sisu-javadoc-1.0.0-160000.2.1</li>
<li>maven-doxia-module-fml-2.1.0-160000.1.1</li>
<li>xmvn-api-4.3.0-160000.3.1</li>
<li>xmvn-connector-javadoc-4.3.0-160000.3.1</li>
<li>ongres-scram-3.2-160000.4.1</li>
<li>ongres-scram-client-3.2-160000.4.1</li>
<li>sisu-plexus-1.0.0-160000.2.1</li>
<li>maven-doxia-core-2.1.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
<ul>
<li>xmvn-4.3.0-160000.3.3</li>
<li>maven-3.9.14-160000.1.1</li>
<li>xmvn-minimal-4.3.0-160000.3.3</li>
<li>maven-lib-3.9.14-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-59432.html">https://www.suse.com/security/cve/CVE-2025-59432.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250399">https://bugzilla.suse.com/show_bug.cgi?id=1250399</a>
</li>
</ul>
</div>