2020 Release Notes

Security Fix

A critical security vulnerability has been found in all versions of NXRM 3 up to and including 3.21.1. For details, please see CVE-2020-10199CVE-2020-10203CVE-2020-10204.

Sonatype recommends that administrators upgrade to 3.21.2 or newer immediately.

Repository Manager 3.22.0

2020-03-27

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.22.0. The issues fixed in this release can be found below. See the complete release notes for all resolved issues. 

New and Noteworthy

SAML Authentication support

NEXUS-20939 

Nexus Repository Manager allows users to authenticate with SAML identity providers.

Conan Format support

NEXUS-14310

Nexus Repository Manager now provides native support for proxying Conan repositories.  Conan is a C/C++ package manager.

General Improvements

REST

  • [NEXUS-21910] Additional REST provisioning support for npm, NuGet and PyPI repositories
  • [NEXUS-22896] performance regression in search REST API

Security

  • [NEXUS-5716] All signed-in users can be assigned a default role
  • [NEXUS-23272] Inability to add * permission to user on 3.21.2

  • [NEXUS-16159] "Require user tokens for repository authentication" now enforced properly

npm

NuGet

  • [NEXUS-23048] Allow proxying NuGet packages hosted by GitHub Packages

PyPI

  • [NEXUS-22770] Change in stored PyPI proxy package paths creates duplicate assets and breaks browse node creation

Tasks

  • [NEXUS-22054] "Repair - reconcile component database from blob store" task does not remove invalid component db references.

  • [NEXUS-22729] Cleanup Policy task results in removal of maven-metadata from non-timestamped snapshots


Repository Manager 3.21.2

2020-03-23

Contains fixes for security vulnerabilities, it is recommended that administrators running earlier versions upgrade immediately.

Disabled Groovy Scripting By Default

In order to make NXRM more secure, we have disabled Groovy scripting engine by default. This affects Groovy scripts as used through the REST API and through scheduled tasks.

For more information (including how to re-enable Groovy scripting), see NEXUS-23205.

NEXUS-23146

Fixes a remote code execution vulnerability.

NEXUS-23147

Fixes a remote code execution vulnerability for users with administrator permissions.

NEXUS-23148

Fixes a stored cross-site scripting vulnerability

Repository Manager 3.21.1

2020-02-18

Removes a broken menu entry incorrectly appearing for some users.

Repository Manager 3.21.0

2020-02-18

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.21.0The issues fixed in this release can be found below. See the complete release notes for all resolved issues. 

New and Noteworthy

p2 Format support

NEXUS-11730 

Nexus Repository Manager now provides native support for proxying p2 repositories. p2 is a technology for provisioning and managing Eclipse- and Equinox-based applications.

Note

This implementation does not include any ability to migrate p2 repositories from NXRM2 to NXRM3.  Interest for that feature is being tracked in NEXUS-22824.

Helm Format support

NEXUS-13325

Helm is the first application package manager running atop Kubernetes(k8s). It allows describing the application structure through convenient helm-charts and managing it with simple commands. 

NuGet V3 Proxy support

NEXUS-10886

NuGet V3 Proxy support gives Nexus Repository Manager users access to the up-to-date V3 API. This is the first part of a wider initiative to bring full V3 support, group and hosted will follow in future releases.

Serve Yum GPG key URLs

NEXUS-16251

Nexus Repository Manager now provides a common facility to allow RPM clients to get GPG keys to verify package signatures in remote repositories.

npm ping support

NEXUS-13434

Nexus Repository Manager is providing npm cli ping support

General Improvements

Docker

  • [NEXUS-18186] Disabling redeploy for a private Docker repo breaks the "latest" tag

Audit

  • [NEXUS-21730] Audit log does not log all attributes for repository change events

Blobstore, Scheduled Tasks

  • [NEXUS-21329] "Remove a member from a blob store group" task processes missing files in the source blob store

Cleanup

  • [NEXUS-18905] Cleanup tasks fail with "No search context found for id" error

Crowd

  • [NEXUS-13306] Usernames containing non URL safe characters cannot authenticate using the Crowd realm 

NuGet

  • [NEXUS-16009] Browse tree for NuGet proxy repositories shows packages that are not locally cached

PyPI

R

  • [NEXUS-22351] R PACKAGES file lost on upgrade to 3.20.x

RubyGems

  • [NEXUS-17477] Unable to install hosted gem which has multiple version requirements

Yum

  • [NEXUS-22052] Yum Metadata not rebuilt after staging deletion of rpm