Sonatype Nexus Repository 3.68.0 - 3.68.1 Release Notes
3.68.1 Released May 16, 2024
3.68.0 Released May 7, 2024
Highlights in This Release |
|---|
Critical Vulnerability Fix for All Sonatype Nexus Repository Deployments Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 deployments. This vulnerability can allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope. To our knowledge, this vulnerability is not being actively exploited. See our CVE-2024-4956 KB article for full details. View Repository Size Nexus Repository Pro deployments using a PostgreSQL database can now see repository sizes displayed in the repositories listing under Administration → Repository → Repositories. Sunset of Legacy High Availability Clustering (HA-C) Our legacy High Availability Clustering (HA-C) feature officially reached sunset status on April 17, 2024. As Nexus Repository will not start for any deployments that use legacy HA-C, ensure you have migrated off of legacy HA-C before upgrading to version 3.68.0 or beyond. |
What's New in 3.68.1?
Sonatype Nexus Repository 3.68.1 includes a critical vulnerability fix as described below. All Sonatype Nexus Repository deployments should upgrade to 3.68.1 as soon as possible.
Critical Vulnerability Fix for All Sonatype Nexus Repository Deployments
Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 OSS and Pro deployments. This vulnerability could allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope.
To our knowledge, this vulnerability is not being actively exploited; however, all Sonatype Nexus Repository deployments should upgrade to 3.68.1 as soon as possible.
See our CVE-2024-4956 KB article for full details.
What’s New in 3.68.0?
Check out what’s new and noteworthy in the Sonatype Nexus Repository 3.68.0 release:
View Repository Size from Repository Management Screen and API
Sonatype Nexus Repository Pro deployments using a PostgreSQL database can now take advantage of a much-anticipated and highly requested feature: viewing repository sizes from the repository management screen.
 |
Use repository size to quickly identify the largest repositories in your deployments. From there, you can evaluate your current cleanup policies and make adjustments as necessary to ensure you are only storing what you actually need, reducing operational cost.
You can also view repository sizes using the GET v1/repositories/{repositoryName} (to retrieve an individual repository) or GET v1/repositories (to retrieve a list of all repositories) APIs.
For most deployments, it should take no more than 5 minutes from when a component is uploaded for the repository size to update. See our Repository Size Calculation Performance Data help topic for more details on expected performance.
Also, be sure to check out the Repository Management section of our help documentation for more details about Nexus Repository features that help you manage your repositories.
This feature was made possible because of your feedback in the Ideas Portal.
Uploading to Raw Repository with API Generates SHA256 and SHA512 Checksums
Previously, uploading to a raw repository via API with PUT generated MD5 and SHA1 checksums; with this release, Nexus Repository also generates SHA256 and SHA512 checksums.
Use Wildcards When Filtering Privileges and Roles
When creating a new role or modifying the applied privileges and roles for an existing role, administrators can now use an asterisk as a wildcard in the search bar. This allows more flexible and rapid filtering when managing Sonatype Nexus Repository access.
View Rebuild Repository Browse Task Progress in User Interface
Users and administrators can now see more detailed information about the Repair - Rebuild repository browse task’s progress as it runs. The task management table under Administration → Tasks now displays the task’s completion percentage to provide more insight into how long the task will take to complete. We will continue to add this functionality in future for additional tasks.
Sunsetting of Legacy High Availability Clustering
Our legacy High Availability Clustering (HA-C) feature officially reached sunset status on April 17, 2024. As explained in our Sunsetting help documentation , this means that HA-C is fully removed from Nexus Repository, and we will no longer provide additional features or bug fixes related to legacy HA-C. Sonatype Support will provide best-effort guidance to help customers adopt one of our newer High Availability deployment solutions. We also provide help documentation for migrating to an HA deployment from Legacy HA-C or migrating from legacy HA-C to a single instance deployment.
As Nexus Repository will not start for any deployments that use legacy HA-C, ensure you have migrated off of legacy HA-C before upgrading to version 3.68.0 or beyond.
Dependency Updates in 3.68.0
Updated axios from 0.21.4 to 0.27.2
Updated jackson2 from 2.15.3 to 2.17.0
Bug Fixes
Issue ID | Description |
|---|---|
NEXUS-42263 | SHA256 checksums are now generated for Helm in PostgreSQL environments. |
NEXUS-42006 | Resolved an API issue related to policy-compliant component selection for PyPI where waived components were mistakenly returned as quarantined. |
NEXUS-41997 | A DEBUG level logger is no longer required to see a DataAccessException message in the DatabaseDistributedCooperationRegistry. |
NEXUS-41903 | Made various performance improvements for HA deployments. |
NEXUS-41602 | Resolved improper realm caching for Conan. |
NEXUS-41486 | Components REST API works as expected for group repositories in PostgreSQL deployments. |
NEXUS-41451 | Users are able to reset their user tokens as expected in environments using remote user tokens. |
NEXUS-41442 | NuGet |
NEXUS-41403 | Database Migrator: Resolved an issue that was causing excessive DB Migrator logging |
NEXUS-41384 | Namespace confusion protection works as expected for PyPI and RubyGems repositories in deployments using a Postgres database. |
NEXUS-41372 | Resolved an issue that was sometimes causing the compact blob store task to cause an out-of-memory error. |
NEXUS-41337 | Database Migrator: Resolved an issue that was causing database migration to fail and misreport problem records on ERROR: insert or update on table "<format>_asset" violates foreign key constraint "fk_<format>_asset_blob." |
NEXUS-41334 | Nexus Repository now creates a single task rather than multiple tasks when migrating Yum metadata into the database during upgrade. |
NEXUS-41285 | User tokens work on Yum group repositories as expected when Require User Tokens for Repository Authentication is enabled. |
NEXUS-40344 | Requests for GA-level metadata that needs to be rebuilt no longer automatically starts a rebuild of the full metadata tree. |
NEXUS-39956 | Removed |
NEXUS-39507 | Improved error messaging when users attempt to use Import/Export across different Nexus Repository versions; as stated in our Import help documentation, Nexus Repository does not support importing files from an older Nexus Repository version. |
NEXUS-38651 | Uploading to a raw repository with PUT will generate md5, sha1, sha256, and sha512 checksums. This is introduced as a new feature but also recorded in this table for customers who were following this issue ID. |
NEXUS-38451 | Made adjustments so that Nexus Repository generates fewer browseComponentAssets SQL queries when finding packages by ID in NuGet v2 proxy repositories. |
NEXUS-34192 | Resolved an issue with SAML authentication related to the NXSESSIONID. |
NEXUS-31745 | Improved error messaging on Tag API when invalid continuation token is passed in. |