SUSE-SU-2026:1732-1

This update for java-17-openjdk fixes the following issues:

Upgrade to upstream tag jdk-17.0.19+10 (April 2026 CPU).

Security issues fixed:

• CVE-2026-22007: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain unauthorized read access to a subset of accessible data (bsc#1262490).
• CVE-2026-22013: JGSS: unauthenticated attacker with network access via multiple protocols can gain unauthorized access to critical data (bsc#1262494).
• CVE-2026-22016: JAXP: unauthenticated attacker with network access via multiple protocols can gain unauthorized to access critical data (bsc#1262495).
• CVE-2026-22018: Libraries: unauthenticated attacker with network access via multiple protocols can cause a partial denial of service (bsc#1262496).
• CVE-2026-22021: JSSE: unauthenticated attacker with network access via HTTPS can cause a partial denial of service (bsc#1262497).
• CVE-2026-23865: freetype2: integer overflow in the tt_var_load_item_variation_store function allows for an out-of-bounds read when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts(bsc#1259118).
• CVE-2026-34268: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain unauthorized read access to a subset of data (bsc#1262500).
• CVE-2026-34282: Networking: unauthenticated attacker with network access via multiple protocols can cause a hang or frequently repeatable crash (bsc#1262501).

Other updates and bugfixes:

• Provide the timezone-java and tzdata-java (jsc#PED-15898).