Nexus Repository 3.37.0 - 3.37.3 Release Notes
New Log4j Visualizer (3.37.2) In response to the recently reported vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"), Sonatype is providing a Log4j Visualizer for a limited time to all Nexus Repository OSS and Pro users. The Log4j Visualizer will provide insight into Maven log4j component downloads impacted by CVE-2021-44228 in your organization. Update to logback Library Version (3.37.1) Because of a low/moderate vulnerability existing in Repository Replication for NuGet and PyPI (3.37.0)PRO Repository replication now supports the NuGet and PyPI formats. New Repair - Rebuild npm metadata Task (3.37.0) Use the new Repair - Rebuild npm metadata task to rebuild the npm metadata for a hosted repository based on the components found in the storage of a hosted repository. |
3.37.3 Release December 29, 2021
Log4j Visualizer Text Update
This release includes an update to the text on the Log4j Visualizer screen.
3.37.2 Release December 28, 2021
New Log4j Visualizer
As we detailed inour blogand are still monitoring in ourLog4j Vulnerability Resource Center, vulnerability researchers uncovered a critical vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"). In an effort to help the global software community defend themselves against this threat, we are providing a Log4j Visualizer to all Nexus Repository OSS and Pro users to allow greater visibility into Maven log4j component downloads.
The visualizer looks at your request logs to show you information about Maven log4j component downloads in your organization, including the number of times someone has downloaded a log4j component impacted by CVE-2021-44228 by repository, username, and IP address.
This is a temporary feature currently limited to only identifying components impacted by CVE-2021-44228, and we may modify or remove it completely in future releases. Note that enabling the capability may impact Nexus Repository performance. Also note that the Log4j Visualizer only captures information about the log4j-core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.
You can enable the capability from a message that will appear upon upgrading or from Nexus Repository's capabilities section. Learn more in ourLog4j Visualizer documentation.
The Log4j Visualizer does not work in High-Availability Clustering (HA-C) environments.
3.37.1 Release December 17, 2021
Update Logback Library Version
Nexus Repository does not use log4j
versions and uses logback
instead. It is therefore not at risk from vulnerabilities impacting log4j
. However, because of a low/moderate vulnerability existing in logback
, we're taking precautionary measures by updating the logback
library version used in Nexus Repository products from version 1.2.3 to version 1.2.9.
3.37.0 Release November 24, 2021
Replication Support for NuGet and PyPI PRO
Repository replication now supports the NuGet and PyPI formats.
Improved Performance for those Migrating to Nexus Repository 3 with an External PostgreSQL Database PRO
We previously noticed performance issues related to SQL INSERT performance into format specific browse_node
tables. In this release, we have made improvements to prevent these issues from slowing down or halting migration.
Improved Resilient Deployment Options PRO
We have made the node id
persistent in the event of a node failover so that Nexus Repository is able to read blob store metrics files that were generated by Nexus whilst running on another node. This allows for accurate blob store metrics in the user interface.
We have also modified the Repair - Rebuild repository search task for rebuilding the Elastic Search (ES) index when a Kubernetes node starts upto only rebuild the ES index if it is not present on the node. This allows the ES index to persist across Nexus Repository pod restarts.
Be sure to check out our help documentation on resilient deployment options.
New Repair - Rebuild npm metadata Task
You can now rebuild the npm metadata for a hosted repository based on the components found in the storage of a hosted repository. This new Repair - Rebuild npm metadata task can serve as a recovery tool in cases of corrupted npm metadata.
The Repair - Rebuild Maven repository metadata Task Fixes Invalid Blob References for maven-metadata.xml
After restoring from backup, the component database may contain references to files that no longer exist in blob storage. We have discovered that the fastest way to repair this is to allow the Repair - rebuild Maven repository metadata task to recreate hosted metadata files when it encounters one that is an invalid blob reference. We have now made this the standard behavior for this task.
Retain Information About Assets Migrated from Nexus Repository Version 2 to Version 3
When migrating from Nexus Repository version 2 to version 3, Nexus Repository will now retain information about when assets from that Nexus Repository 2 instance were created and who created them.
Improved S3 Blob Store Performance
We reworked our implementation to avoid copy operations while uploading components so as to improve S3 storage performance.
Bug Fixes | Description |
---|---|
NEXUS-29290 | A suspected XSS vulnerability was reported. After investigation, it was found to not be exploitable; however, we have put a change in place to make sure it can never become exploitable. |
NEXUS-28918 | The Search API sorts Maven content by version following the typical Maven standards for versioning. |
NEXUS-22125 | You can now query image tags via the Registry API for proxied gcr.io as expected. |
NEXUS-21878 | A failure in the start of one docker connector will no longer prevent other connectors from attempting to start. |