Sonatype Nexus 2.11.2 Release Notes

Sonatype Nexus 2.11.2 Release Notes

These notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.11.2.

See the complete release notes for all resolved issues.

Release History

2.11.2-06 - Mar. 16, 2015

Nexus 2.11.2-03 users should upgrade - see our article for more information.

  • includes scheduled task Reconcile Repository Checksums that fixes bad checksums created by NEXUS-8221

2.11.2-04 - Mar. 6, 2015

  • includes critical preventative fix for NEXUS-8221 - Bug metadata generation creates incorrect md5 / sha1

2.11.2-03 - Feb. 23, 2015

  • initial 2.11.2 public release

New and Noteworthy

Session Cookie Name Change

To help avoid conflicts with other web applications, the session cookie name required by the Nexus user interface has changed from JSESSIONID to NXSESSIONID. The cookie name is now configurable in case you need to revert this change.

Session Cookie Secure Attribute Set Dynamically

If Nexus detects that the inbound request originates over HTTPS, then Nexus now sets the Secure flag on the session cookie. If you have problems with web browser sessions when a server other than Nexus handles the secure connection, then make sure your fronting server is sending Nexus the X-Forwarded-Proto: https header value. See our book for reverse proxy configuration advice.

Attribute File Access Is Now Blocked By Default

Nexus now blocks HTTP access to paths which include the special storage directory .nexus/attributes . Customers should avoid relying on direct access of attributes files. Some customers may have relied on accessing these files over HTTP to work around rare problems. In cases where access to these files are still required, we have an article which explains how to restore access.

npm Repository Scheduled Tasks Added

Two new scheduled tasks have been added for npm repositories - Backup npm metadata database and Rebuild hosted npm metadata. We advise that users of Hosted npm Repositories consider scheduling the backup task.

Java 8 Official Support

Nexus has worked well with Java 8 since version 2.10. In preparation for the end of Oracle public updates for Java 7, we have updated our complete build and testing infrastructure to ensure Java 8 remains a solid platform on which to run Nexus. [NEXUS-7330]

General Improvements

Maven Repository

  • [NEXUS-7808] Bug non-snapshot versions containing SNAPSHOT can bypass a release repository Deployment Policy


  • [NEXUS-7974] Task Update NPM plugin to use OrientDB 2.0
  • [NEXUS-7835] Improvement provide a scheduled task to rebuild the npm metadata from storage data for hosted repositories
  • [NEXUS-8072] Improvement provide a scheduled task to backup npm metadata


  • [NEXUS-7873] Bug produces OBR metadata which cannot be parsed by felix 4.4.1


  • [NEXUS-7881] Improvement allow nexus 2.x to load outreach content by version,edition and user

Proxy Repository

  • [NEXUS-7915] Improvement support proxying


  • [NEXUS-7933] Bug Delete repository does not work if trash and repository directories are on different file systems
  • [NEXUS-7850] Improvement Ban content which could be interpreted as a "link" to be uploaded or downloaded
  • [NEXUS-7834] Bug Nexus allows direct access to trash directory through content URL's. security
  • [NEXUS-7903] Bug resuming downloads for unsatisfiable Range should respond with 416 or 200 instead of 206
  • [NEXUS-7650] Technical Debt Upgrade to Apache Tika 1.7 for better mime detection
  • [NEXUS-8058] Improvement block access to .nexus/attributes files by default
  • [NEXUS-7929] Bug maven site deployments with .. in paths fail


  • [NEXUS-7927] Bug Deletion of ruby gems via REST fails on Windows


  • [NEXUS-6246] Bug Checksum search fails after repair index task is run


  • [NEXUS-7889] Bug RUT Auth does not work for /content URL's
  • [NEXUS-7882] Bug /service/local/authentication/logout should ask the user-agent to delete the session cookie


  • [NEXUS-5830] Bug /service/local/status resource creates http sessions
  • [NEXUS-7880] Improvement change the default Nexus session cookie name
  • [NEXUS-7879] Improvement generate dynamic Secure parameterized cookies based on HttpServletRequest.isSecure()


  • [NEXUS-7877] Improvement prevent nexus from sending rememberMe=deleteme cookie
  • [NEXUS-7878] Improvement prevent restlet resources from sending duplicate Date and Server headers


  • [NEXUS-3540] Bug Copyright date in "Help/About" needs to be updated
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk