Sonatype Nexus Repository 3.59.0 Release Notes
Released August 15, 2023
There is a known issue impacting Sonatype Nexus Repository Pro users who meet all of the following criteria:
- Were previously on OrientDB and migrated to PostgreSQL
- Have RubyGems, P2, or NuGet v2 assets that were migrated from OrientDB to PostgreSQL
- Have run the Repair - Reconcile component database from blob store task with the Integrity Check option enabled (this option is enabled by default)
The issue causes the task to soft-delete the blob .properties and .bytes files for NuGet v2 proxy and hosted repositories.
The task also will not restore the desired content for RubyGems, NuGet v2 (proxy or hosted), or P2 repositories; however, there is no soft deletion associated with RubyGems or P2 repositories.
If you have migrated to PostgreSQL and have RubyGems, P2, or NuGet v2 assets, do not run the Repair - Reconcile component database from blob store task against blobstores containing any of the impacted formats.
We will release a fix for this issue in the upcoming 3.60.0 release.
There is a known issue in Sonatype Nexus Repository 3.59.0 impacting deployments using OrientDB and configured to have LDAP and SAML users that have the exact same User ID. If you are using OrientDB and have migrated authentication from LDAP to SAML you are advised not to upgrade to Nexus Repo 3.59.0 or 3.60.0.
Highlights in This Release |
|---|
Common Vulnerabilities and Exposures Fix for Apache Shiro This release upgrades Apache shiro from 1.10.0 to 1.12.0 to mitigate CVE-2023-34478. Read more Common Vulnerabilities and Exposures Fix for SnakeYaml This release upgrades SnakeYaml from 1.33 to 2.0 to mitigate CVE-2022-1471. Read more Security Fix for User Tokens This release includes a security fix for those using user tokens for authentication. Read more Support for Password Encoders for LDAP Authentication In this release, we added support for password encoders like SHA-256, SHA-384, and SHA-512 for LDAP authentication. Read more |
What's New and Noteworthy in This Release?
Common Vulnerabilities and Exposures Fix for Apache Shiro
This release upgrades Apache shiro from version 1.10.0 to version 1.12.0 to mitigate CVE-2023-34478. As this CVE implicates all shiro 1.x versions prior to 1.12, all version of Sonatype Nexus Repository 3 prior to 3.59.0 contain vulnerable versions of shiro. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.
Common Vulnerabilities and Exposures Fix for SnakeYaml
This release upgrades SnakeYaml from version 1.33 to version 2.0 to mitigate CVE-2022-1471. This CVE impacts all SnakeYaml version prior to 2.0; therefore, all previous Sonatype Nexus Repository 3 versions contain vulnerable versions of SnakeYaml. We do not know of any active exploit, but we urge customers to upgrade as soon as possible.
Security Fix for User Tokens
Sonatype recently became aware of a bug impacting those using user tokens for authentication. To address potential security concerns, we have enhanced our user token authentication methods to ensure that user tokens are always case-sensitive regardless of security realm or database used. We do not know of any active exploit of this issue, but we urge customers to upgrade as soon as possible.
Support for Password Encoders for LDAP Authentication
To further improve Sonatype Nexus Repository security, this release introduces support for password encoders like SHA-256, SHA-384, and SHA-512 for those using LDAP authentication.
Outbound Request Log
To help facilitate debugging outbound network problems, we have added an outbound request log that generates an outbound-request.log file in the $data-dir/log directory. The outbound request log rotates daily, maintains 90 days of log files by default, and compresses old logs. The log includes information such as date/time, authenticated user id, method, url, response status code, bytes sent, bytes received, and response time.
Audit Logging for Content Selectors
To help troubleshoot content selector issues, we've expanded the audit log ($data-dir/log/audit/audit.log) to log content selector creation, update, or deletion.
Bug Fixes
| Ticket Number | Description |
|---|---|
| NEXUS-39797 | Resolved an issue that was causing some components to not be indexed for search in HA deployments. |
NEXUS-39774 & 39573 | Using the Search API to return Maven assets with an empty maven.classifier now works as expected. |
| NEXUS-39255 | The Conan v2 remote list command to retrieve revisions performs as expected without a 500 error. |
| NEXUS-36486 | The blobCreated date is now preserved when migrating to PostgreSQL. |
| NEXUS-36415 | Adjusted handling in cases where invalid content violating metadata format is cached in a proxy repository. |
| NEXUS-35977 | Improved error messaging and documentation related to requesting files from a R format repository. See our updated R repositories documentation for supported file types. |