Sonatype Nexus Repository 3.59.0 Release Notes

Released August 15, 2023

There is a known issue impacting Sonatype Nexus Repository Pro users who meet all of the following criteria:

The issue causes the task tosoft-delete the blob .properties and .bytes files for NuGet v2 proxy and hosted repositories.

The task also will not restore the desired content for RubyGems, NuGet v2 (proxy or hosted), or P2 repositories; however, there is no soft deletion associated with RubyGems or P2 repositories.

If you have migrated to PostgreSQL and have RubyGems, P2, or NuGet v2 assets, do not run the Repair - Reconcile component database from blob store task against blobstores containing any of the impacted formats.

We will release a fix for this issue in the upcoming 3.60.0 release.

There is a known issue in Sonatype Nexus Repository 3.59.0 impacting deployments using OrientDB and configured to have LDAP and SAML users that have the exact same User ID. If you are using OrientDB and have migrated authentication from LDAP to SAML you are advised not to upgrade to Nexus Repo 3.59.0 or 3.60.0.

Common Vulnerabilities and Exposures Fix for Apache Shiro

This release upgrades Apache Shiro from version 1.10.0 to version 1.12.0 to mitigate CVE-2023-34478. As this CVE implicates all Shiro 1.x versions before 1.12, all versions of Sonatype Nexus Repository 3 before 3.59.0 contain vulnerable versions of Shiro. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.

Common Vulnerabilities and Exposures Fix for SnakeYaml

This release upgrades SnakeYaml from version 1.33 to version 2.0 to mitigate CVE-2022-1471. This CVE impacts all SnakeYaml versions before 2.0; therefore, all previous Sonatype Nexus Repository 3 versions contain vulnerable versions of SnakeYaml. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.

Security Fix for User Tokens

Sonatype recently became aware of a bug impacting those using user tokens for authentication. To address potential security concerns, we have enhanced our user token authentication methods to ensure that user tokens are always case-sensitive regardless of the security realm or database used. We do not know of any active exploit of this issue, but we urge customers to upgrade as soon as possible.

Support for Password Encoders for LDAP Authentication

To further improve Sonatype Nexus Repository security, this release introduces support for password encoders like SHA-256, SHA-384, and SHA-512 for those using LDAP authentication.

Outbound Request Log

To help facilitate debugging outbound network problems, we have added an outbound request log that generates an outbound-request.log file in the $data-dir/log directory. The outbound request log rotates daily, maintains 90 days of log files by default, and compresses old logs. The log includes information such as date/time, authenticated user id, method, url, response status code, bytes sent, bytes received, and response time.

Audit Logging for Content Selectors

To help troubleshoot content selector issues, we've expanded the audit log ($data-dir/log/audit/audit.log) to log content selector creation, update, or deletion.