A critical security vulnerability has been found in 3.21.2 and 3.22.0. For details, please see CVE-2020-11753.
Sonatype recommends that administrators upgrade to 3.22.1 or newer immediately.
Repository Manager 3.23.0
We are pleased to present Nexus Repository Manager 3.23.0.
Import for Raw and Maven formats (Pro Only)
In Nexus Repository Manager 3.23.0, we focus on importing content from an external source and for a subset of formats. This can help customers migrate content from Nexus Repository Manager 2 to Nexus Repository Manager 3 at their own pace.
Import is implemented as a task. You can configure the Repository - Import external files task from Settings → Tasks → Create Task as show here:
Nexus Intelligence via npm audit
This feature will be available to both Nexus Repository OSS and Pro users and will require a license of Nexus Firewall or Nexus Lifecycle (Nexus IQ version 89 and above). Nexus Repository Manager admins can enable Nexus Intelligence via npm audit across all development teams without having to modify any setup on the developers’ machines.
- [NEXUS-21087] (Docker) Support OCI registry format
- [NEXUS-23436] Clearer anonymous panel for upgrade wizard
- [NEXUS-23548] Helm Chart Repository API version format incorrect
- [NEXUS-20349] NuGet repository returns multiple versions as islatest=true
- [NEXUS-23420] NonResolvablePackageException thrown when downloading a package through the PyPI group
- [NEXUS-23398] Retrieval of some packages from PyPI fails
- [NEXUS-23487] PyPI repository returns 500 error response if remote returns an invalid response.
- [NEXUS-23379] Invalid content returned through proxy prevents valid content from being retreived
- [NEXUS-23616] Blob Store API allows users to create a blobstore without path
Repository Manager 3.22.1
Includes Security Fix for Improper Access Control CVE. See the CVE-2020-11753 advisory for details.
Sonatype recommends that administrators running 3.22.0 and earlier upgrade immediately.
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.22.1. The issues fixed in this release can be found below. See the complete release notes for all resolved issues.
- NEXUS-23556 - CVE-2020-11415: LDAP system credentials can be exposed by admin user
- NEXUS-23504 - Privileged user can create, modify and execute scripting tasks
- NEXUS-23359 - NPE thrown if IdP metadata does not contain SingleLogoutService element
- NEXUS-23348 - UI Login SSO Button does not respect the nexus-context-path
- NEXUS-23352 - Conan integration in 3.22.0 does not handle Header Only packages
- NEXUS-23399 - NuGet v3 proxy repository will not serve cached content if remote is blocked
- NEXUS-23396 - Admin - Cleanup repositories using their associated policies task should lazily mark maven metadata for rebuild
Repository Manager 3.22.0
Includes Security Fix for Improper Access Control CVE. See the CVE-2020-11444 advisory for details.
Sonatype recommends that administrators running 3.21.2 and earlier upgrade immediately.
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.22.0. The issues fixed in this release can be found below. See the complete release notes for all resolved issues.
New and Noteworthy
SAML Authentication support
Nexus Repository Manager allows users to authenticate with SAML identity providers.
Note: The fix for NEXUS-22770 will cause some content previously cached in PyPi proxy repositories to be removed. This only affects proxy repositories, and the content will show up again as your builds request it. Please see the issue for details.
Conan Format support
Nexus Repository Manager now provides native support for proxying Conan repositories. Conan is a C/C++ package manager.
- [NEXUS-21910] Additional REST provisioning support for npm, NuGet and PyPI repositories
[NEXUS-22896] performance regression in search REST API
- [NEXUS-23377] CVE-2020-11444: Improper Access Control
- [NEXUS-5716] All signed-in users can be assigned a default role
[NEXUS-23272] Inability to add * permission to user on 3.21.2
[NEXUS-16159] "Require user tokens for repository authentication" now enforced properly
- [NEXUS-23393] a GA level maven-metadata.xml GET request may trigger rebuilding unrelated GA maven-metadata.xml
- [NEXUS-23392] potentially long running transaction rebuilding metadata triggered by GET of GA level maven-metadata.xml while under concurrent access
- [NEXUS-22602] Repair - Rebuild Maven repository metadata (maven-metadata.xml) task with GA restrictions does not work
[NEXUS-22245] Cannot delete npm scoped folder via UI
[NEXUS-23048] Allow proxying NuGet packages hosted by GitHub Packages
[NEXUS-22770] Change in stored PyPI proxy package paths creates duplicate assets and breaks browse node creation
[NEXUS-22054] "Repair - reconcile component database from blob store" task does not remove invalid component db references.
[NEXUS-22729] Cleanup Policy task results in removal of maven-metadata from non-timestamped snapshots
Repository Manager 3.21.2
Contains fixes for security vulnerabilities, it is recommended that administrators running earlier versions upgrade immediately.
Disabled Groovy Scripting By Default
In order to make NXRM more secure, we have disabled Groovy scripting engine by default. This affects Groovy scripts as used through the REST API and through scheduled tasks.
For more information (including how to re-enable Groovy scripting), see NEXUS-23205.
Fixes a remote code execution vulnerability.
Fixes a remote code execution vulnerability for users with administrator permissions.
Fixes a stored cross-site scripting vulnerability
Repository Manager 3.21.1
Removes a broken menu entry incorrectly appearing for some users.
Repository Manager 3.21.0
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.21.0. The issues fixed in this release can be found below. See the complete release notes for all resolved issues.
New and Noteworthy
p2 Format support
Nexus Repository Manager now provides native support for proxying p2 repositories. p2 is a technology for provisioning and managing Eclipse- and Equinox-based applications.
This implementation does not include any ability to migrate p2 repositories from NXRM2 to NXRM3. Interest for that feature is being tracked in NEXUS-22824.
Helm Format support
Helm is the first application package manager running atop Kubernetes(k8s). It allows describing the application structure through convenient helm-charts and managing it with simple commands.
NuGet V3 Proxy support
NuGet V3 Proxy support gives Nexus Repository Manager users access to the up-to-date V3 API. This is the first part of a wider initiative to bring full V3 support, group and hosted will follow in future releases.
Serve Yum GPG key URLs
Nexus Repository Manager now provides a common facility to allow RPM clients to get GPG keys to verify package signatures in remote repositories.
npm ping support
Nexus Repository Manager is providing npm cli ping support.
- [NEXUS-18186] Disabling redeploy for a private Docker repo breaks the "latest" tag
[NEXUS-21730] Audit log does not log all attributes for repository change events
Blobstore, Scheduled Tasks
- [NEXUS-21329] "Remove a member from a blob store group" task processes missing files in the source blob store
- [NEXUS-18905] Cleanup tasks fail with "No search context found for id" error
- [NEXUS-13306] Usernames containing non URL safe characters cannot authenticate using the Crowd realm
- [NEXUS-16009] Browse tree for NuGet proxy repositories shows packages that are not locally cached
- [NEXUS-22051] PyPI group merge is not case sensitive
- [NEXUS-22351] R PACKAGES file lost on upgrade to 3.20.x
- [NEXUS-17477] Unable to install hosted gem which has multiple version requirements
- [NEXUS-22052] Yum Metadata not rebuilt after staging deletion of rpm