Nexus Repository 3.29.0 - 3.29.2 Release Notes
Nexus Repository Manager 3.29.2
2021-01-06
If you installed 3.29.1 and modified or created a cleanup policy the following is critical.
A bug in the implementation of the new user interface for Cleanup Policies resulted in a value displayed as days being interpreted as seconds. If you created or modified a cleanup policy while using 3.29.1 after updating you must confirm that these fields have the intended values.
NEXUS-26251 - Interface for Cleanup Policies erroneously interprets and persists values as seconds instead of days
Nexus Repository Manager 3.29.1
2020-12-24
These notes are a compilation of significant bug fixes for Nexus Repository Manager 3.29.1.
An upgrade to 3.29.2 or newer is strongly recommended especially for instances that use Cleanup Policies. If this is not possible, any 3.29.1 instance is advised to take the following action:
As an Administrator user, navigate to Administration → System → Tasks.
Select the task of type Admin - Cleanup repositories using their associated policies. The default task name is
Cleanup service. Click the task Settings tab.Uncheck the Task enabled checkbox on the Settings tab and click Save.
Blobstore, Docker, Scheduled Tasks
[NEXUS-25504] Unable to pull images from hosted docker repo after move to new blob store
helm
[NEXUS-25611] Installing via helm proxy errors if not using official remote
npm-audit
[NEXUS-25936] npm audit fails with 500 response using group and anonymous
NuGet V3
[NEXUS-25801] Group repository registration API requests may fail
Staging
[NEXUS-24391] 'Destination already contains component' error when using staging API
Nexus Repository Manager 3.29.0
2020-12-04
Includes Security Fix for XML External Entity CVE. See the CVE-2020-29436 advisory for details.
Sonatype recommends that administrators running 3.28.1 and earlier upgrade immediately.
These notes are a compilation of new features and significant bug fixes for Nexus Repository Manager 3.29.0.
Filtering npm Package Root Metadata
A common pattern in npm projects is to use version ranges for dependencies for users of Nexus Firewall this could lead to build failures if quarantine is enabled for unknown components when builds occurred before a package was catalogued. Firewall is now smarter, and when configured it will filter new packages that haven’t yet been vetted for quality so developers can use latest and version ranges without friction.
Deprecating /service/metrics/healthcheck
[NEXUS-19840] The /service/metrics/healthcheck endpoint has been deprecated and scheduled for eventual removal. It is recommended to use the alternative endpoint/service/rest/v1/status/check which has a near equivalent JSON response, except it does not return 500 status when one or more system status checks fail.
Support for Maven and Gradle SHA256/SHA512 Hashing
These hashes are now created automatically during UI Upload of jars and automatically removed when the accompanying components are removed by cleanup policies or maven-specific deletion tasks.
Remote URL of nuget.org-proxy Defaults to V3 for New Installs
[NEXUS-25506] New installs will now contain the default NuGet proxy repository as https://api.nuget.org/v3/index.json. Upgrading will not modify any existing remote URLs, although users are encouraged to start migrating away from using NuGet V2 API URLs such as the previous default (https://www.nuget.org/api/v2/).
More Secure Direct Inbound HTTPS Connection Ciphers and TLS Protocols
[NEXUS-20267, NEXUS-25786] For instances using Eclipse Jetty-based direct inbound HTTPS connections (no reverse proxy), the default connector configration inside jetty-https.xml now only allows TLS v1.2 connections. Excluded are weak ciphers, deprecated TLS v1 and TLS v1.1 protocols.
It is possible that very old insecure HTTP clients may fail establishing an HTTPS connection to repository manager using these new defaults. Should this occur and you need to revert changes in your instance, consult the JIRA issues or our knowledge base article.
General Improvements
[NEXUS-25307] Protection against deletion of related blob stores while the Change repository blob store task is executing
[NEXUS-14631] Added more attributes to REST resource for asset
[NEXUS-19021] Logging at default levels when roles are added or removed
[NEXUS-25774] Upgraded Eclipse Jetty to 9.4.33.v20201020
Blobstore
[NEXUS-23733] Creating more than one file based blobstore using the same root path is not prevented
Crowd, REST
[NEXUS-25529] Security management: Users API does not show "externalRoles" for Crowd
Proxy Repository
[NEXUS-25510] Error Response Code 429 (Rate Limiting) does not autoblock
NuGet V3
[NEXUS-25291] Proxy can be configured only using a specific remote in UI field
[NEXUS-25605] Proxy repositories to github package registry can fail query requests when accessed in a group repository
[NEXUS-25478] Group packages incorrectly sorted in page causing some installs to fail
[NEXUS-25357] Proxy does not work with some third-party V3 repositories
npm-audit
[NEXUS-24913] npm audit caching prevents policy updates
NuGet
[NEXUS-25609] Exception processing payloads for a single NuGet group member repository can stop all group member processing
R
[NEXUS-23827] PACKAGES.gz cannot be updated if repository doesn't allow redeploy
Security
[NEXUS-25829] CVE-2020-29436: Fixes an XXE Vulnerability
Transport
[NEXUS-25158] HeaderPatternFilter may reject implicit Host value due to certain combinations of X-Forwarded headers
Yum
[NEXUS-25604] Some newly deployed rpm files not showing up in primary.xml.gz, despite logging saying they are being added
[NEXUS-25502] yum metadata is rebuilt after downloading it which can cause build failures
[NEXUS-25628] yum metadata missing provides entries when multiple versions are provided by a package