2019 Release Notes

Repository Manager 2.14.15

Security Fix for discovered Remote Code Execution (RCE) vulnerabilities

Two RCE vulnerabilities have been found and corrected in 2.14.15, see the CVE-2019-15893 and CVE-2019-16530 advisories for details.

Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.14 upgrade immediately.

This is a bug fix release and corrects several vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.15 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-21044] - CVE-2019-15893: Remote Code Execution vulnerability
  • [NEXUS-21193] - CVE-2019-16530: Remote Code Execution vulnerability
  • [NEXUS-20626] - CVE-2019-5475: OS Command Injection vulnerability (second part to the fix in 2.14.14)
  • [NEXUS-21512] - Update Apache Tika and Commons Compress libraries to resolve security vulnerabilities

Repository Manager 2.14.14

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users upgrade to 2.14.14 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-20626] - CVE-2019-5475: OS command injection vulnerability
  • [NEXUS-20776] - CVE-2019-11358: Update jquery to resolve vulnerability

Staging

  • [NEXUS-20160] - Fix display of html tags in staging repository summary panel
  • [NEXUS-19912] - Add staging rule support for new POM attributes in Maven 3.6.1

Yum

  • [NEXUS-19404] - Conditional GET requests for repodata/repomd.xml files always return 304 unmodified

Repository Manager 2.14.13

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager Pro 2.x. We recommend all Pro users upgrade to 2.14.13 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-19761] - XSS security vulnerability addressed (CVE-2019-11629)

Repository Manager 2.14.12

This is a release with improvements, bug fixes and corrects multiple vulnerabilities that have been discovered in prior versions of Nexus Repository Manager 2.x. We recommend all users to upgrade to 2.14.12 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

General Improvements

  • [NEXUS-19019] - Update Docker images to use OpenJDK 8
  • [NEXUS-18919] - Prevent leaking of InputStream on root HTML index page
  • [NEXUS-18271] - Changed our Welcome Outreach capability to use HTTPS instead of HTTP

Upgrade

  • [NEXUS-18705] - repository-changelog requests from Nexus 3 upgrade can trigger Nexus 2 outbound requests even though proxy repository is blocked

Staging

  • [NEXUS-8316] - Prevent failing on file pattern for Profile Target Matcher staging rule

Nuget

  • [NEXUS-8159] - Log RemoteItemNotFoundException for NuGet Proxy at debug level

Security

  • [NEXUS-19314] - Multiple security vulnerabilities addressed