Security update for java-11-openjdk

Announcement ID:	SUSE-SU-2025:02563-1
Release Date:	2025-07-31T02:15:55Z
Rating:	important
References:	bsc#1246575 bsc#1246580 bsc#1246584 bsc#1246595 bsc#1246598
Cross-References:	CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-50059 CVE-2025-50106
CVSS scores:	CVE-2025-30749 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-30749 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-30749 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-30754 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-30754 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30754 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30761 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-30761 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-50059 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2025-50059 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2025-50106 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-50106 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves five vulnerabilities can now be installed.

Description:

This update for java-11-openjdk fixes the following issues:

Upgrade to upstream tag jdk-11.0.28+6 (July 2025 CPU):

Security fixes:

• CVE-2025-30749: several scenarios can lead to heap corruption (bsc#1246595)
• CVE-2025-30754: incomplete handshake may lead to weakening TLS protections (bsc#1246598)
• CVE-2025-30761: Improve scripting supports (bsc#1246580)
• CVE-2025-50059: Improve HTTP client header handling (bsc#1246575)
• CVE-2025-50106: Glyph out-of-memory access and crash (bsc#1246584)

Changelog:

+ JDK-8026976: ECParameters, Point does not match field size
+ JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong
  value
+ JDK-8231058: VerifyOops crashes with assert(_offset >= 0)
  failed: offset for non comment?
+ JDK-8232625: HttpClient redirect policy should be more
  conservative
+ JDK-8258483: [TESTBUG] gtest
  CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is
  too small
+ JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are
  problematic
+ JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
+ JDK-8301753: AppendFile/WriteFile has differences between make
  3.81 and 4+
+ JDK-8303770: Remove Baltimore root certificate expiring in May
  2025
+ JDK-8315380: AsyncGetCallTrace crash in frame::safe_for_sender
+ JDK-8327476: Upgrade JLine to 3.26.1
+ JDK-8328957: Update PKCS11Test.java to not use hardcoded path
+ JDK-8331959: Update PKCS#11 Cryptographic Token Interface to
  v3.1
+ JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm
  gtest fails on ppc64 based platforms
+ JDK-8339728: [Accessibility,Windows,JAWS] Bug in the
  getKeyChar method of the AccessBridge class
+ JDK-8345133: Test sun/security/tools/jarsigner/
  /TsacertOptionTest.java failed: Warning found in stdout
+ JDK-8345625: Better HTTP connections
+ JDK-8346887: DrawFocusRect() may cause an assertion failure
+ JDK-8347629: Test FailOverDirectExecutionControlTest.java
  fails with -Xcomp
+ JDK-8348110: Update LCMS to 2.17
+ JDK-8348596: Update FreeType to 2.13.3
+ JDK-8348598: Update Libpng to 1.6.47
+ JDK-8348989: Better Glyph drawing
+ JDK-8349111: Enhance Swing supports
+ JDK-8349594: Enhance TLS protocol support
+ JDK-8350469: [11u] Test AbsPathsInImage.java fails
  - JDK-8239429 public clone
+ JDK-8350498: Remove two Camerfirma root CA certificates
+ JDK-8350991: Improve HTTP client header handling
+ JDK-8351099: Bump update version of OpenJDK: 11.0.28
+ JDK-8351422: Improve scripting supports
+ JDK-8352302: Test sun/security/tools/jarsigner/
  /TimestampCheck.java is failing
+ JDK-8352716: (tz) Update Timezone Data to 2025b
+ JDK-8356096: ISO 4217 Amendment 179 Update
+ JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS
+ JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
+ JDK-8360147: Better Glyph drawing redux

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2563=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2563=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • java-11-openjdk-debuginfo-11.0.28.0-3.90.1
  • java-11-openjdk-debugsource-11.0.28.0-3.90.1
  • java-11-openjdk-11.0.28.0-3.90.1
  • java-11-openjdk-demo-11.0.28.0-3.90.1
  • java-11-openjdk-headless-11.0.28.0-3.90.1
  • java-11-openjdk-devel-11.0.28.0-3.90.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • java-11-openjdk-debuginfo-11.0.28.0-3.90.1
  • java-11-openjdk-debugsource-11.0.28.0-3.90.1
  • java-11-openjdk-11.0.28.0-3.90.1
  • java-11-openjdk-demo-11.0.28.0-3.90.1
  • java-11-openjdk-headless-11.0.28.0-3.90.1
  • java-11-openjdk-devel-11.0.28.0-3.90.1

References:

• https://www.suse.com/security/cve/CVE-2025-30749.html
• https://www.suse.com/security/cve/CVE-2025-30754.html
• https://www.suse.com/security/cve/CVE-2025-30761.html
• https://www.suse.com/security/cve/CVE-2025-50059.html
• https://www.suse.com/security/cve/CVE-2025-50106.html
• https://bugzilla.suse.com/show_bug.cgi?id=1246575
• https://bugzilla.suse.com/show_bug.cgi?id=1246580
• https://bugzilla.suse.com/show_bug.cgi?id=1246584
• https://bugzilla.suse.com/show_bug.cgi?id=1246595
• https://bugzilla.suse.com/show_bug.cgi?id=1246598