Skip to main content

2018 Nexus Repository 2 Release Notes

Nexus Repository 2

Repository Manager 2.14.11

Repository Manager 2.14.11 is a Security-fix ReleaseThis release corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.11 or later immediately. We made the following updates:

  • Updated dependency that was susceptible to a DoS attack CVE-2018-11796

  • Resolved internal SQL injection exploit

Warning

Repository Manager 2.14.11 requires Java 8 to consume fixes to some external libraries. Please upgrade to Java 8 before upgrading to or installing this release. See Java System Requirements for more general information.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Environment

  • [NEXUS-18235] - Require Java 8 for NXRM 2

Repository Manager 2.14.10

Repository Manager 2.14.10 is a Security-fix ReleaseThis release corrects multiplevulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.10 or later immediately. We made the following updates:

  • Updated dependency that was susceptible to a DoS attack

  • Updated dependency that had a vulnerability for XSS

  • Updated dependency that allowed attacker to bake a special serialized object that will execute code directly when deserialized

The following is a list of the CVEs addressed:

  • CVE-2018-11771

  • CVE-2015-9251

  • CVE-2016-6814

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Security

  • [NEXUS-18044] - Updates for vulnerable dependencies

Repository Manager 2.14.9

Repository Manager 2.14.9 is a Bug-fix Release

  • NEXUS-17202 - "out of range" error when installing some npm packages via proxy

  • NEXUS-16950 - Permission bottleneck for large numbers of repositories in nested group repos

  • NEXUS-16667 - Group repository can have members removed inadvertently after update which includes a not existing member

  • NEXUS-16543 - XmlRolePermissionResolver permission checks bottleneck

  • NEXUS-16449 - Role to privilege cache gets cleared out at inappropriate times

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Repository Manager 2.14.8

IQ Audit and Quarantine (Firewall) now available in OSS bundles

Repository Manager 2.14.8 introduces the Nexus Firewall functionality to the Nexus Repository Manager OSS bundle (previously only available to Pro users).

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Repository Manager 2.14.7

This is a bug-fix release, compatibility with Java 7 has been restored.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

General Improvements

An unintended change which required running 2.14.6 with Java 8 has been reverted. While we still recommend using the latest Java 8, this repository manager release restores the ability for users to run Repository Manager 2.x with either Java 7 or Java 8.

Repository Manager 2.14.6

This is a bug-fix release to correct multiple XSS vulnerabilities that have been discovered in all versions of Nexus Repository Manager 2.x up to and including 2.14.5. We recommend all users upgrade to 2.14.6 or later immediately. Please see our support knowledge base article for more details.

Warning

Repository Manager 2.14.6 requires Java 8 to use. Please upgrade to Java 8 before upgrading to or installing this release. See Java System Requirements for more general information.

This was an unintentional change that we are planning to adjust in the next release. We apologize if this causes inconvenience on your attempt to upgrade. Note, we will be deprecating Java 7 support for this product in the near future so you should be prepared to install the latest supported JVM, which is always a good idea to ensure performance and security of your Java programs.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

General Improvements

  • [NEXUS-13882] - If an old indexing context is found when creating a new repository it should be deleted

Performance

  • [NEXUS-14034] - NuGet "filter=(tolower(Id))" queries don't use a database index in NXRM 2.x, causing severe performance issues in large instances

Security

  • [NEXUS-15723] - Multiple XSS security vulnerabilities addressed

  • You can now specify the secret that Nexus Repository uses for reversible encryption by setting the system property nexus.security.masterPhraseFile to a file containing the secret.

    Note

    You should not include this file in backups; safely secure your password elsewhere.