2019 Nexus Repository 2 Release Notes
Nexus Repository 2
Repository Manager 2.14.15
Warning
Two RCE vulnerabilities have been found and corrected in 2.14.15, see the CVE-2019-15893 and CVE-2019-16530 advisories for details.
Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.14 upgrade immediately.
This is a bug fix release and corrects several vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.15 or later.
Repository Manager 3.x Upgrade Compatibility
Security
[NEXUS-21044] - CVE-2019-15893: Remote Code Execution vulnerability
[NEXUS-21193] - CVE-2019-16530: Remote Code Execution vulnerability
[NEXUS-20626] - CVE-2019-5475: OS Command Injection vulnerability (second part to the fix in 2.14.14)
[NEXUS-21512] - Update Apache Tika and Commons Compress libraries to resolve security vulnerabilities
Repository Manager 2.14.14
This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.14 or later.
Repository Manager 3.x Upgrade Compatibility
Security
[NEXUS-20626] - CVE-2019-5475: OS command injection vulnerability
[NEXUS-20776] - CVE-2019-11358: Update jquery to resolve vulnerability
Staging
[NEXUS-20160] - Fix display of html tags in staging repository summary panel
[NEXUS-19912] - Add staging rule support for new POM attributes in Maven 3.6.1
Yum
[NEXUS-19404] - Conditional GET requests for repodata/repomd.xml files always return 304 unmodified
Repository Manager 2.14.13
This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager Pro 2.x. We recommend all Pro users upgrade to 2.14.13 or later.
Repository Manager 3.x Upgrade Compatibility
Security
[NEXUS-19761] - XSS security vulnerability addressed (CVE-2019-11629)
Repository Manager 2.14.12
This is a release with improvements, bug fixes and corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.12 or later.
Repository Manager 3.x Upgrade Compatibility
General Improvements
[NEXUS-19019] - Update Docker images to use OpenJDK 8
[NEXUS-18919] - Prevent leaking of InputStream on root HTML index page
[NEXUS-18271] - Changed our Welcome Outreach capability to use HTTPS instead of HTTP
Upgrade
[NEXUS-18705] - repository-changelog requests from Nexus 3 upgrade can trigger Nexus 2 outbound requests even though proxy repository is blocked
Staging
[NEXUS-8316] - Prevent failing on file pattern for Profile Target Matcher staging rule
Nuget
[NEXUS-8159] - Log RemoteItemNotFoundException for NuGet Proxy at debug level
Security
[NEXUS-19314] - Multiple security vulnerabilities addressed