2020 Nexus Repository 2 Release Notes
Nexus Repository 2
Warning
A critical security vulnerability has been found in versions up to and including 2.14.18. For details, please see CVE-2020-13933.
Sonatype recommends that administrators upgrade to 2.14.19 or newer immediately.
Note
The notes below are a summary of new features, enhancements, and bug fixes per version release.
Repository Manager 2.14.20
This release includes an update to ActiveMQ for a CVE reported against it and an update of BouncyCastle to allow the use of ECC signatures.
Repository Manager 3 Upgrade Compatibility
Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference.
Security
[NEXUS-26224] CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack
Repository
[NEXUS-25956] Signatures with ECC algorithm not being recognized
Repository Manager 2.14.19
This release includes minor security fixes.
Repository Manager 3 Upgrade Compatibility
Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.
[NEXUS-24349] - CVE-2020-15012 - NXRM2 Directory Traversal vulnerability
Repository Manager 2.14.18
This is a bug fix release and corrects an issue deploying sha256 and sha512 checksums when using staging repositories.
Repository Manager 3 Upgrade Compatibility
Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.
[NEXUS-21802] - Maven metadata sha256/sha512 checksum in staging repositories
Repository Manager 2.14.17
This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.17 or later.
Repository Manager 3.x Upgrade Compatibility
Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.
Security
[NEXUS-23556] - CVE-2020-11415: LDAP system credentials can be exposed by admin user
Repository Manager 2.14.16
Warning
An RCE vulnerability has been found and corrected in 2.14.16, see the CVE-2019-15893 advisory for details.
Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.15 upgrade immediately.
This is a bug fix release and corrects vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.16 or later.
Repository Manager 3.x Upgrade Compatibility
Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.
Security
[NEXUS-22014] - CVE-2019-5475: OS Command Injection vulnerability
[NEXUS-22453] - Update Apache Shiro library to resolve security vulnerability
Repository
[NEXUS-22313] - Invalid content-range header returned
Crowd
[NEXUS-13306] - usernames containing non-URL safe characters cannot authenticate using the Crowd realm