Security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu

Announcement ID:	SUSE-SU-2026:21608-1
Release Date:	2026-05-12T12:36:08Z
Rating:	moderate
References:	bsc#1250399
Cross-References:	CVE-2025-59432
CVSS scores:	CVE-2025-59432 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-59432 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2025-59432 ( NVD ): 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0

An update that solves one vulnerability can now be installed.

Description:

This update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu fixes the following issues:

Changes in ongres-scram:

• Version 3.2
• Fix Timing Attack Vulnerability in SCRAM Authentication (bsc#1250399, CVE-2025-59432)
• Updated dependencies and maven plugins

• Use central-publishing-maven-plugin to deploy to Maven Central.

• Do not create multirelease jar if the only Java 9+ class file is module-info.class

Changes in ongres-stringprep:

• Do not create multirelease jar if the only Java 9+ class file is module-info.class

Changes in plexus-testing:

• The build without tests does not need the full junit5; the junit5-minimal (built with ant) is enough

Changes in maven:

• Upgrade to upstream version 3.9.14

• Bug Fixes

  • plexus-testing dependencies should be used in test scope

• Upgrade to upstream version 3.9.13

• Bug Fixes

  • Bug: SecDispatcher is managed by legacy Plexus DI
  • [3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8 Java version in ranges as well

• Maintenance

  • Update Maven plugin versions in default-bindings.xml
  • Migrate to JUnit 5 - avoid using TestCase

Changes in maven-doxia:

Upgrade to upstream version 2.1.0:

• New features and improvements

  • Distinguish between linebreaks for formatting markup and linebreaks in output
  • Return SinkEventAttributes instead of super class MutableAttributeSet for filterAttributes
  • Optionally leave fragments of internal links untouched Support strikethrough for Markdown sink
  • DOXIA-770: Only escape when necessary
  • DOXIA-760: Clarify table justification semantics and introduce new "JUSTIFY_DEFAULT" alignment
  • DOXIA-756: Allow to customize macro execution
  • DOXIA-759: Support anchors in MarkdownSink

• Bug Fixes

  • MarkdownSink: Fix verbatim inside table cell
  • Make sure to emit metadata prior everything else
  • Convert all globally available attributes to HTML5 compliant ones
  • Html5BaseSink: Convert non-compliant HTML5 attributes to compliant ones
  • Support "name" attribute in "a" element still in XHTML5
  • Never emit Markdown inside HTML context
  • Use JSoup to convert HTML to XHTML after parsing with Flexmark
  • DOXIA-764: Strip leading newline after
  • DOXIA-763: Distinguish between verbatim source and non-source in MarkdownSink
  • DOXIA-758: Consider emitComments flag in MarkdownSink
  • DOXIA-757: Don't strip leading "#" from link names
  • DOXIA-753: Do not end lists with a blank line
  • DOXIA-751: Linked inline code must be emitted in right order
  • DOXIA-749: Correctly indent and separate blocks inside list items
  • DOXIA-750: Properly apply inlines inside HTML blocks
  • DOXIA-747: Emit headings at beginning of line for Markdown

• Documentation updates

  • Site: Convert APT to Markdown
  • Improve documentation of supported extensions
  • (doc) Fix missing references in JavaDocs

• Maintenance

  • Cleanup tests
  • JUnit Jupiter best practices
  • Remove commons-lang3 and commons-text dependencies
  • feat: enable prevent branch protection rules
  • Cleanup pom, remove redundant dependencies
  • Drop almost all usages of plexus-utils
  • Remove not used and outdated clirr-maven-plugin
  • Enable Github Issues
  • DOXIA-772: Deprecate Sink.sectionTitle() and sectionTitle_()
  • DOXIA-754: Clarify method order for nested lists

Changes in mojo-parent:

• Do not import junit-bom in the parent. This creates unnecessary build cycles with junit5.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-733=1
• SUSE Linux Enterprise Server for SAP applications 16.0
  zypper in -t patch SUSE-SLES-16.0-733=1

Package List:

• SUSE Linux Enterprise Server 16.0 (noarch)
  • maven-doxia-module-xdoc-2.1.0-160000.1.1
  • mojo-parent-82-160000.3.1
  • maven-javadoc-3.9.14-160000.1.1
  • xmvn-mojo-javadoc-4.3.0-160000.3.1
  • maven-doxia-javadoc-2.1.0-160000.1.1
  • xmvn-install-4.3.0-160000.3.1
  • xmvn-resolve-4.3.0-160000.3.1
  • xmvn-tools-javadoc-4.3.0-160000.3.1
  • sisu-mojos-1.0.0-160000.2.1
  • xmvn-core-4.3.0-160000.3.1
  • maven-doxia-test-docs-2.1.0-160000.1.1
  • ongres-stringprep-javadoc-2.2-160000.3.1
  • maven-doxia-sink-api-2.1.0-160000.1.1
  • sisu-inject-1.0.0-160000.2.1
  • xmvn-parent-4.3.0-160000.3.1
  • xmvn-subst-4.3.0-160000.3.1
  • maven-doxia-module-apt-2.1.0-160000.1.1
  • maven-doxia-module-xhtml5-2.1.0-160000.1.1
  • xmvn-mojo-4.3.0-160000.3.1
  • xmvn-connector-4.3.0-160000.3.1
  • ongres-stringprep-2.2-160000.3.1
  • ongres-scram-javadoc-3.2-160000.4.1
  • sisu-mojos-javadoc-1.0.0-160000.2.1
  • sisu-javadoc-1.0.0-160000.2.1
  • maven-doxia-module-fml-2.1.0-160000.1.1
  • xmvn-api-4.3.0-160000.3.1
  • xmvn-connector-javadoc-4.3.0-160000.3.1
  • ongres-scram-3.2-160000.4.1
  • ongres-scram-client-3.2-160000.4.1
  • sisu-plexus-1.0.0-160000.2.1
  • maven-doxia-core-2.1.0-160000.1.1
• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • xmvn-4.3.0-160000.3.3
  • maven-3.9.14-160000.1.1
  • xmvn-minimal-4.3.0-160000.3.3
  • maven-lib-3.9.14-160000.1.1
• SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
  • maven-doxia-module-xdoc-2.1.0-160000.1.1
  • mojo-parent-82-160000.3.1
  • maven-javadoc-3.9.14-160000.1.1
  • xmvn-mojo-javadoc-4.3.0-160000.3.1
  • maven-doxia-javadoc-2.1.0-160000.1.1
  • xmvn-install-4.3.0-160000.3.1
  • xmvn-resolve-4.3.0-160000.3.1
  • xmvn-tools-javadoc-4.3.0-160000.3.1
  • sisu-mojos-1.0.0-160000.2.1
  • xmvn-core-4.3.0-160000.3.1
  • maven-doxia-test-docs-2.1.0-160000.1.1
  • ongres-stringprep-javadoc-2.2-160000.3.1
  • maven-doxia-sink-api-2.1.0-160000.1.1
  • sisu-inject-1.0.0-160000.2.1
  • xmvn-parent-4.3.0-160000.3.1
  • xmvn-subst-4.3.0-160000.3.1
  • maven-doxia-module-apt-2.1.0-160000.1.1
  • maven-doxia-module-xhtml5-2.1.0-160000.1.1
  • xmvn-mojo-4.3.0-160000.3.1
  • xmvn-connector-4.3.0-160000.3.1
  • ongres-stringprep-2.2-160000.3.1
  • ongres-scram-javadoc-3.2-160000.4.1
  • sisu-mojos-javadoc-1.0.0-160000.2.1
  • sisu-javadoc-1.0.0-160000.2.1
  • maven-doxia-module-fml-2.1.0-160000.1.1
  • xmvn-api-4.3.0-160000.3.1
  • xmvn-connector-javadoc-4.3.0-160000.3.1
  • ongres-scram-3.2-160000.4.1
  • ongres-scram-client-3.2-160000.4.1
  • sisu-plexus-1.0.0-160000.2.1
  • maven-doxia-core-2.1.0-160000.1.1
• SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
  • xmvn-4.3.0-160000.3.3
  • maven-3.9.14-160000.1.1
  • xmvn-minimal-4.3.0-160000.3.3
  • maven-lib-3.9.14-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2025-59432.html
• https://bugzilla.suse.com/show_bug.cgi?id=1250399