Skip to main content

Sonatype Nexus Repository 3.59.0 Release Notes

Released August 15, 2023

Warning

There is a known issue impacting Sonatype Nexus Repository Pro users who meet all of the following criteria:

  • Were previously on OrientDB and migrated to PostgreSQL

  • Have RubyGems, P2, or NuGet v2 assets that were migrated from OrientDB to PostgreSQL

  • Have run the Repair - Reconcile component database from blob store task with the Integrity Check option enabled (this option is enabled by default)

The issue causes the task tosoft-delete the blob .properties and .bytes files for NuGet v2 proxy and hosted repositories.

The task also will not restore the desired content for RubyGems, NuGet v2 (proxy or hosted), or P2 repositories; however, there is no soft deletion associated with RubyGems or P2 repositories.

If you have migrated to PostgreSQL and have RubyGems, P2, or NuGet v2 assets, do not run the Repair - Reconcile component database from blob store task against blobstores containing any of the impacted formats.

We will release a fix for this issue in the upcoming 3.60.0 release.

Warning

There is a known issue in Sonatype Nexus Repository 3.59.0 impacting deployments using OrientDB and configured to have LDAP and SAML users that have the exact same User ID. If you are using OrientDB and have migrated authentication from LDAP to SAML you are advised not to upgrade to Nexus Repo 3.59.0 or 3.60.0.

Highlights in This Release

Common Vulnerabilities and Exposures Fix for Apache Shiro

This release upgrades Apache shiro from 1.10.0 to 1.12.0 to mitigate CVE-2023-34478.

Common Vulnerabilities and Exposures Fix for SnakeYaml

This release upgrades SnakeYaml from 1.33 to 2.0 to mitigate CVE-2022-1471.

Security Fix for User Tokens

This release includes a security fix for those using user tokens for authentication.

Support for Password Encoders for LDAP Authentication

In this release, we added support for password encoders like SHA-256, SHA-384, and SHA-512 for LDAP authentication.

What's New and Noteworthy in This Release?

Common Vulnerabilities and Exposures Fix for Apache Shiro

This release upgrades Apache shiro from version 1.10.0 to version 1.12.0 to mitigate CVE-2023-34478. As this CVE implicates all shiro 1.x versions prior to 1.12, all version of Sonatype Nexus Repository 3 prior to 3.59.0 contain vulnerable versions of shiro. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.

Common Vulnerabilities and Exposures Fix for SnakeYaml

This release upgrades SnakeYaml from version 1.33 to version 2.0 to mitigate CVE-2022-1471. This CVE impacts all SnakeYaml version prior to 2.0; therefore, all previous Sonatype Nexus Repository 3 versions contain vulnerable versions of SnakeYaml. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.

Security Fix for User Tokens

Sonatype recently became aware of a bug impacting those using user tokens for authentication. To address potential security concerns, we have enhanced our user token authentication methods to ensure that user tokens are always case-sensitive regardless of security realm or database used. We do not know of any active exploit of this issue, but we urge customers to upgrade as soon as possible.

Support for Password Encoders for LDAP Authentication

To further improve Sonatype Nexus Repository security, this release introduces support for password encoders like SHA-256, SHA-384, and SHA-512 for those using LDAP authentication.

Outbound Request Log

To help facilitate debugging outbound network problems, we have added an outbound request log that generates an outbound-request.log file in the $data-dir/log directory. The outbound request log rotates daily, maintains 90 days of log files by default, and compresses old logs. The log includes information such as date/time, authenticated user id, method, url, response status code, bytes sent, bytes received, and response time.

Audit Logging for Content Selectors

To help troubleshoot content selector issues, we've expanded the audit log ($data-dir/log/audit/audit.log) to log content selector creation, update, or deletion.

Bug Fixes

Ticket Number

Description

NEXUS-39797

Resolved an issue that was causing some components to not be indexed for search in HA deployments.

NEXUS-39774 & 39573

Using the Search API to return Maven assets with an empty maven.classifier now works as expected.

NEXUS-36486

The blobCreated date is now preserved when migrating to PostgreSQL.

NEXUS-36415

Adjusted handling in cases where invalid content violating metadata format is cached in a proxy repository.

NEXUS-35977

Improved error messaging and documentation related to requesting files from a R format repository. See our updated R repositories documentation for supported file types.