2018 Release Notes

Repository Manager 2.14.11

Repository Manager 2.14.11 is a Security-fix Release

This release corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.11 or later immediately. We made the following updates:

  • Updated dependency that was susceptible to a DoS attack CVE-2018-11796
  • Resolved internal SQL injection exploit


Java 8 Required

Repository Manager 2.14.11 requires Java 8 to consume fixes to some external libraries. Please upgrade to Java 8 before upgrading to or installing this release. See Java System Requirements for more general information.


Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference. 

Environment

Repository Manager 2.14.10

Repository Manager 2.14.10 is a Security-fix Release

This release corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.10 or later immediately. We made the following updates:

  • Updated dependency that was susceptible to a DoS attack
  • Updated dependency that had a vulnerability for XSS
  • Updated dependency that allowed attacker to bake a special serialized object that will execute code directly when deserialized

The following is a list of the CVEs addressed:

  • CVE-2018-11771
  • CVE-2015-9251
  • CVE-2016-6814

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference. 

Security

Repository Manager 2.14.9

Repository Manager 2.14.9 is a Bug-fix Release

  • NEXUS-17202"out of range" error when installing some npm packages via proxy
  • NEXUS-16950Permission bottleneck for large numbers of repositories in nested group repos
  • NEXUS-16667Group repository can have members removed inadvertently after update which includes a not existing member
  • NEXUS-16543XmlRolePermissionResolver permission checks bottleneck
  • NEXUS-16449Role to privilege cache gets cleared out at inappropriate times

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference. 

Repository Manager 2.14.8

IQ Audit and Quarantine (Firewall) now available in OSS bundles

Repository Manager 2.14.8 introduces the Nexus Firewall functionality to the Nexus Repository Manager OSS bundle (previously only available to Pro users).  To learn more, see the Nexus Firewall quick start guide.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference. 

Repository Manager 2.14.7

This is a bug-fix release, compatibility with Java 7 has been restored.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

General Improvements

An unintended change which required running 2.14.6 with Java 8 has been reverted. While we still recommend using the latest Java 8, this repository manager release restores the ability for users to run Repository Manager 2.x with either Java 7 or Java 8. 

Repository Manager 2.14.6

This is a bug-fix release to correct multiple XSS vulnerabilities that have been discovered in all versions of Nexus Repository Manager 2.x up to and including 2.14.5. We recommend all users updgrade to 2.14.6 or later immediately. Please see our support knowledge base article for more details.

See the complete release notes for all resolved issues.

Java 8 Required

Repository Manager 2.14.6 requires Java 8 to use. Please upgrade to Java 8 before upgrading to or installing this release. See Java System Requirements for more general information.

(info) This was an unintentional change that we are planning to adjust in the next release. We apologize if this causes inconveniences on your attempt to upgrade. Note, we will be deprecating Java 7 support for this product in the near future so you should be prepared to install the latest supported JVM, which is always a good idea to ensure performance and security of your Java programs.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

General Improvements

  • [NEXUS-13882] - If an old indexing context is found when creating a new repository it should be deleted

Performance

  • [NEXUS-14034] - NuGet "filter=(tolower(Id))" queries don't use a database index in NXRM 2.x, causing severe performance issues in large instances

Security

  • [NEXUS-15723] - Multiple XSS security vulnerabilities addressed

  • You can now specify the secret that Nexus Repository uses for reversible encryption by setting the system property nexus.security.masterPhraseFile to a file containing the secret.

    You should not include this file in backups; safely secure your password elsewhere.