Detections
Analytics

SUSE SLES16 Security Update : ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu (SUSE-SU-2026:21608-1)

high Nessus Plugin ID 315068

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:21608-1 advisory.

 Changes in ongres-scram:

 - Version 3.2
 * Fix Timing Attack Vulnerability in SCRAM Authentication (bsc#1250399, CVE-2025-59432)
 * Updated dependencies and maven plugins
 * Use central-publishing-maven-plugin to deploy to Maven Central.

 - Do not create multirelease jar if the only Java 9+ class file is module-info.class

 Changes in ongres-stringprep:

 - Do not create multirelease jar if the only Java 9+ class file is module-info.class

 Changes in plexus-testing:

 - The build without tests does not need the full junit5; the junit5-minimal (built with ant) is enough

 Changes in maven:

 - Upgrade to upstream version 3.9.14

 * Bug Fixes

 - plexus-testing dependencies should be used in test scope

 - Upgrade to upstream version 3.9.13
 * Bug Fixes
 - Bug: SecDispatcher is managed by legacy Plexus DI
 - [3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8 Java version in ranges as well

 * Maintenance

 - Update Maven plugin versions in default-bindings.xml
 - Migrate to JUnit 5 - avoid using TestCase

 Changes in maven-doxia:

 Upgrade to upstream version 2.1.0:

 * New features and improvements

 - Distinguish between linebreaks for formatting markup and linebreaks in output
 - Return SinkEventAttributes instead of super class MutableAttributeSet for filterAttributes
 - Optionally leave fragments of internal links untouched Support strikethrough for Markdown sink
 - DOXIA-770: Only escape when necessary
 - DOXIA-760: Clarify table justification semantics and introduce new JUSTIFY_DEFAULT alignment
 - DOXIA-756: Allow to customize macro execution
 - DOXIA-759: Support anchors in MarkdownSink

 * Bug Fixes

 - MarkdownSink: Fix verbatim inside table cell
 - Make sure to emit metadata prior everything else
 - Convert all globally available attributes to HTML5 compliant ones
 - Html5BaseSink: Convert non-compliant HTML5 attributes to compliant ones
 - Support name attribute in a element still in XHTML5
 - Never emit Markdown inside HTML context
 - Use JSoup to convert HTML to XHTML after parsing with Flexmark
 - DOXIA-764: Strip leading newline after
 - DOXIA-763: Distinguish between verbatim source and non-source in MarkdownSink
 - DOXIA-758: Consider emitComments flag in MarkdownSink
 - DOXIA-757: Don't strip leading # from link names
 - DOXIA-753: Do not end lists with a blank line + DOXIA-751: Linked inline code must be emitted in right order + DOXIA-749: Correctly indent and separate blocks inside list items + DOXIA-750: Properly apply inlines inside HTML blocks + DOXIA-747: Emit headings at beginning of line for Markdown

 * Documentation updates

 + Site: Convert APT to Markdown + Improve documentation of supported extensions + (doc) Fix missing references in JavaDocs

 * Maintenance

 + Cleanup tests + JUnit Jupiter best practices + Remove commons-lang3 and commons-text dependencies + feat: enable prevent branch protection rules + Cleanup pom, remove redundant dependencies + Drop almost all usages of plexus-utils + Remove not used and outdated clirr-maven-plugin + Enable Github Issues + DOXIA-772: Deprecate Sink.sectionTitle() and sectionTitle_() + DOXIA-754: Clarify method order for nested lists

 Changes in mojo-parent:

 - Do not import junit-bom in the parent. This creates unnecessary build cycles with junit5.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1250399

https://www.suse.com/security/cve/CVE-2025-59432

https://lists.suse.com/pipermail/sle-updates/2026-May/046440.html

Plugin Details

Severity: High

ID: 315068

File Name: suse_SU-2026-21608-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/16/2026

Updated: 5/16/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-59432

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:maven-doxia-module-xhtml5, p-cpe:/a:novell:suse_linux:ongres-stringprep, p-cpe:/a:novell:suse_linux:xmvn-minimal, p-cpe:/a:novell:suse_linux:ongres-scram-javadoc, p-cpe:/a:novell:suse_linux:ongres-scram-client, p-cpe:/a:novell:suse_linux:ongres-scram, p-cpe:/a:novell:suse_linux:maven, p-cpe:/a:novell:suse_linux:sisu-javadoc, p-cpe:/a:novell:suse_linux:maven-doxia-javadoc, p-cpe:/a:novell:suse_linux:maven-doxia-core, p-cpe:/a:novell:suse_linux:maven-javadoc, p-cpe:/a:novell:suse_linux:xmvn-install, p-cpe:/a:novell:suse_linux:xmvn-resolve, p-cpe:/a:novell:suse_linux:xmvn-subst, p-cpe:/a:novell:suse_linux:ongres-stringprep-javadoc, p-cpe:/a:novell:suse_linux:xmvn, p-cpe:/a:novell:suse_linux:maven-doxia-module-fml, p-cpe:/a:novell:suse_linux:mojo-parent, p-cpe:/a:novell:suse_linux:xmvn-api, p-cpe:/a:novell:suse_linux:xmvn-mojo-javadoc, p-cpe:/a:novell:suse_linux:maven-doxia-sink-api, p-cpe:/a:novell:suse_linux:xmvn-core, p-cpe:/a:novell:suse_linux:xmvn-connector, p-cpe:/a:novell:suse_linux:maven-doxia-module-apt, p-cpe:/a:novell:suse_linux:xmvn-mojo, p-cpe:/a:novell:suse_linux:sisu-inject, p-cpe:/a:novell:suse_linux:sisu-mojos-javadoc, p-cpe:/a:novell:suse_linux:maven-doxia-module-xdoc, p-cpe:/a:novell:suse_linux:sisu-mojos, p-cpe:/a:novell:suse_linux:xmvn-parent, p-cpe:/a:novell:suse_linux:xmvn-tools-javadoc, p-cpe:/a:novell:suse_linux:maven-doxia-test-docs, cpe:/o:novell:suse_linux:16, p-cpe:/a:novell:suse_linux:maven-lib, p-cpe:/a:novell:suse_linux:sisu-plexus, p-cpe:/a:novell:suse_linux:xmvn-connector-javadoc

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/12/2026

Vulnerability Publication Date: 9/16/2025

Reference Information

CVE: CVE-2025-59432

SuSE: SUSE-SU-2026:21608-1