Security update for java-11-openjdk

Announcement ID:	SUSE-SU-2025:1399-1
Release Date:	2025-04-29T13:35:11Z
Rating:	important
References:	bsc#1241274 bsc#1241275 bsc#1241276
Cross-References:	CVE-2025-21587 CVE-2025-30691 CVE-2025-30698
CVSS scores:	CVE-2025-21587 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-21587 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-21587 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-30691 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-30691 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30691 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30698 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-30698 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-30698 ( NVD ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves three vulnerabilities can now be installed.

Description:

This update for java-11-openjdk fixes the following issues:

Upgrade to upstream tag jdk-11.0.27+6 (April 2025 CPU)

CVEs:

• CVE-2025-21587: Fixed JSSE unauthorized access, deletion or modification of critical data (bsc#1241274)
• CVE-2025-30691: Fixed Oracle Java SE Compiler Unauthorized Data Access (bsc#1241275)
• CVE-2025-30698: Fixed Oracle Java 2D unauthorized data access and DoS (bsc#1241276)

Changes:

+ JDK-8195675: Call to insertText with single character
  from custom Input Method ignored
+ JDK-8202926: Test java/awt/Focus/
  /WindowUpdateFocusabilityTest/
  /WindowUpdateFocusabilityTest.html fails
+ JDK-8216539: tools/jar/modularJar/Basic.java timed out
+ JDK-8268364: jmethod clearing should be done during
  unloading
+ JDK-8273914: Indy string concat changes order of
  operations
+ JDK-8294316: SA core file support is broken on macosx-x64
  starting with macOS 12.x
+ JDK-8306408: Fix the format of several tables in
  building.md
+ JDK-8309841: Jarsigner should print a warning if an entry
  is removed
+ JDK-8312049: runtime/logging/ClassLoadUnloadTest can be
  improved
+ JDK-8320916: jdk/jfr/event/gc/stacktrace/
  /TestParallelMarkSweepAllocationPendingStackTrace.java failed
  with "OutOfMemoryError: GC overhead limit exceeded"
+ JDK-8327650: Test java/nio/channels/DatagramChannel/
  /StressNativeSignal.java timed out
+ JDK-8328242: Add a log area to the PassFailJFrame
+ JDK-8331863: DUIterator_Fast used before it is constructed
+ JDK-8336012: Fix usages of jtreg-reserved properties
+ JDK-8337494: Clarify JarInputStream behavior
+ JDK-8337692: Better TLS connection support
+ JDK-8338430: Improve compiler transformations
+ JDK-8339560: Unaddressed comments during code review of
  JDK-8337664
+ JDK-8339810: Clean up the code in sun.tools.jar.Main to
  properly close resources and use ZipFile during extract
+ JDK-8339931: Update problem list for
  WindowUpdateFocusabilityTest.java
+ JDK-8340387: Update OS detection code to recognize
  Windows Server 2025
+ JDK-8341424: GHA: Collect hs_errs from build time failures
+ JDK-8342562: Enhance Deflater operations
+ JDK-8342704: GHA: Report truncation is broken after
  JDK-8341424
+ JDK-8343007: Enhance Buffered Image handling
+ JDK-8343474: [updates] Customize README.md to specifics
  of update project
+ JDK-8343599: Kmem limit and max values swapped when
  printing container information
+ JDK-8343786: [11u] GHA: Bump macOS and Xcode versions to
  macos-13 and XCode 14.3.1
+ JDK-8344589: Update IANA Language Subtag Registry to
  Version 2024-11-19
+ JDK-8345509: Bump update version of OpenJDK: 11.0.27
+ JDK-8346587: Distrust TLS server certificates anchored by
  Camerfirma Root CAs
+ JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no
  license header
+ JDK-8347847: Enhance jar file support
+ JDK-8347965: (tz) Update Timezone Data to 2025a
+ JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25
  updates
+ JDK-8352097: (tz) zone.tab update missed in 2025a backport
+ JDK-8354087: [11u] Remove designator
  DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.27

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-1399=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1399=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • java-11-openjdk-headless-11.0.27.0-3.87.1
  • java-11-openjdk-demo-11.0.27.0-3.87.1
  • java-11-openjdk-devel-11.0.27.0-3.87.1
  • java-11-openjdk-11.0.27.0-3.87.1
  • java-11-openjdk-debuginfo-11.0.27.0-3.87.1
  • java-11-openjdk-debugsource-11.0.27.0-3.87.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • java-11-openjdk-headless-11.0.27.0-3.87.1
  • java-11-openjdk-demo-11.0.27.0-3.87.1
  • java-11-openjdk-devel-11.0.27.0-3.87.1
  • java-11-openjdk-11.0.27.0-3.87.1
  • java-11-openjdk-debuginfo-11.0.27.0-3.87.1
  • java-11-openjdk-debugsource-11.0.27.0-3.87.1

References:

• https://www.suse.com/security/cve/CVE-2025-21587.html
• https://www.suse.com/security/cve/CVE-2025-30691.html
• https://www.suse.com/security/cve/CVE-2025-30698.html
• https://bugzilla.suse.com/show_bug.cgi?id=1241274
• https://bugzilla.suse.com/show_bug.cgi?id=1241275
• https://bugzilla.suse.com/show_bug.cgi?id=1241276