Security update for java-1_8_0-openjdk

Announcement ID:	SUSE-SU-2025:03120-1
Release Date:	2025-09-09T15:10:05Z
Rating:	important
References:	bsc#1246580 bsc#1246584 bsc#1246595 bsc#1246598 bsc#1246806
Cross-References:	CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-50106
CVSS scores:	CVE-2025-30749 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-30749 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-30749 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-30754 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-30754 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30754 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30761 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-30761 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-50106 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-50106 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for java-1_8_0-openjdk fixes the following issues:

Update to version jdk8u462 (icedtea-3.36.0).

Security issues fixed:

• CVE-2025-30749: heap corruption allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246595).
• CVE-2025-30754: incomplete handshake allows unauthenticated attacker with network access via TLS to gain unauthorized update, insert, delete and read access to sensitive data (bsc#1246598).
• CVE-2025-30761: issue in Scripting component allows unauthenticated attacker with network access to gain unauthorized creation, deletion or modification access to critical data (bsc#1246580).
• CVE-2025-50106: Glyph out-of-memory access allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246584).

Other issues fixed:

• Import of OpenJDK 8 u462 build 08
• JDK-8026976: ECParameters, Point does not match field size.
• JDK-8071996: split_if accesses NULL region of ConstraintCast.
• JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names.
• JDK-8186787: clang-4.0 SIGSEGV in Unsafe_PutByte.
• JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken.
• JDK-8278472: Invalid value set to CANDIDATEFORM structure.
• JDK-8293107: GHA: Bump to Ubuntu 22.04.
• JDK-8303770: Remove Baltimore root certificate expiring in May 2025.
• JDK-8309841: Jarsigner should print a warning if an entry is removed.
• JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract.
• JDK-8345625: Better HTTP connections.
• JDK-8346887: DrawFocusRect() may cause an assertion failure.
• JDK-8349111: Enhance Swing supports.
• JDK-8350498: Remove two Camerfirma root CA certificates.
• JDK-8352716: (tz) Update Timezone Data to 2025b.
• JDK-8353433: XCG currency code not recognized in JDK 8u.
• JDK-8356096: ISO 4217 Amendment 179 Update.
• JDK-8359170: Add 2 TLS and 2 CS Sectigo roots.
• Backports
• JDK-8358538: Update GHA Windows runner to 2025.
• JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-3120=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3120=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • java-1_8_0-openjdk-debugsource-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-demo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-devel-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-headless-1.8.0.462-27.117.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • java-1_8_0-openjdk-debugsource-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-demo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-devel-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.462-27.117.1
  • java-1_8_0-openjdk-headless-1.8.0.462-27.117.1

References:

• https://www.suse.com/security/cve/CVE-2025-30749.html
• https://www.suse.com/security/cve/CVE-2025-30754.html
• https://www.suse.com/security/cve/CVE-2025-30761.html
• https://www.suse.com/security/cve/CVE-2025-50106.html
• https://bugzilla.suse.com/show_bug.cgi?id=1246580
• https://bugzilla.suse.com/show_bug.cgi?id=1246584
• https://bugzilla.suse.com/show_bug.cgi?id=1246595
• https://bugzilla.suse.com/show_bug.cgi?id=1246598
• https://bugzilla.suse.com/show_bug.cgi?id=1246806