Skip to main content

2019 Nexus Repository 2 Release Notes

Nexus Repository 2

Repository Manager 2.14.15

Warning

Two RCE vulnerabilities have been found and corrected in 2.14.15, see the CVE-2019-15893 and CVE-2019-16530 advisories for details.

Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.14 upgrade immediately.

This is a bug fix release and corrects several vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.15 or later.

Repository Manager 3.x Upgrade Compatibility

Security

  • [NEXUS-21044] - CVE-2019-15893: Remote Code Execution vulnerability

  • [NEXUS-21193] - CVE-2019-16530: Remote Code Execution vulnerability

  • [NEXUS-20626] - CVE-2019-5475: OS Command Injection vulnerability (second part to the fix in 2.14.14)

  • [NEXUS-21512] - Update Apache Tika and Commons Compress libraries to resolve security vulnerabilities

Repository Manager 2.14.14

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.14 or later.

Repository Manager 3.x Upgrade Compatibility

Security

  • [NEXUS-20626] - CVE-2019-5475: OS command injection vulnerability

  • [NEXUS-20776] - CVE-2019-11358: Update jquery to resolve vulnerability

Staging

  • [NEXUS-20160] - Fix display of html tags in staging repository summary panel

  • [NEXUS-19912] - Add staging rule support for new POM attributes in Maven 3.6.1

Yum

  • [NEXUS-19404] - Conditional GET requests for repodata/repomd.xml files always return 304 unmodified

Repository Manager 2.14.13

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager Pro 2.x. We recommend all Pro users upgrade to 2.14.13 or later.

Repository Manager 3.x Upgrade Compatibility

Security

  • [NEXUS-19761] - XSS security vulnerability addressed (CVE-2019-11629)

Repository Manager 2.14.12

This is a release with improvements, bug fixes and corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.12 or later.

Repository Manager 3.x Upgrade Compatibility

General Improvements

  • [NEXUS-19019] - Update Docker images to use OpenJDK 8

  • [NEXUS-18919] - Prevent leaking of InputStream on root HTML index page

  • [NEXUS-18271] - Changed our Welcome Outreach capability to use HTTPS instead of HTTP

Upgrade

  • [NEXUS-18705] - repository-changelog requests from Nexus 3 upgrade can trigger Nexus 2 outbound requests even though proxy repository is blocked

Staging

  • [NEXUS-8316] - Prevent failing on file pattern for Profile Target Matcher staging rule

Nuget

  • [NEXUS-8159] - Log RemoteItemNotFoundException for NuGet Proxy at debug level

Security

  • [NEXUS-19314] - Multiple security vulnerabilities addressed