2020 Release Notes

Security Fix

A critical security vulnerability has been found in versions up to and including 2.14.18. For details, please see CVE-2020-13933.

Sonatype recommends that administrators upgrade to 2.14.19 or newer immediately.

The notes below are a summary of new features, enhancements, and bug fixes per version release. To access the latest release, see our download page for details.

Repository Manager 2.14.20

This release includes an update to ActiveMQ for a CVE reported against it and an update of BouncyCastle to allow use of ECC signatures.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-26224] CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack

Repository

  • [NEXUS-25956] Signatures with ECC algorithm not being recognized

Repository Manager 2.14.19

This release includes minor security fixes.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

  • [NEXUS-24349] - CVE-2020-15012 - NXRM2 Directory Traversal vulnerability

Repository Manager 2.14.18

This is a bug fix release and corrects an issue deploying sha256 and sha512 checksums when using staging repositories.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

  • [NEXUS-21802] - Maven metadata sha256/sha512 checksum in staging repositories

Repository Manager 2.14.17

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.17 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-23556] - CVE-2020-11415: LDAP system credentials can be exposed by admin user

Repository Manager 2.14.16

Security Fix for discovered Remote Code Execution (RCE) vulnerabilities

An RCE vulnerability has been found and corrected in 2.14.16, see the CVE-2019-15893 advisory for details.

Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.15 upgrade immediately.

This is a bug fix release and corrects vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.16 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference. 

Security

  • [NEXUS-22014]CVE-2019-5475: OS Command Injection vulnerability
  • [NEXUS-22453] - Update Apache Shiro library to resolve security vulnerability

Repository

Crowd

  • [NEXUS-13306] - usernames containing non URL safe characters cannot authenticate using the Crowd realm