Sonatype Nexus 2.0 through 2.8.1 Release Notes

Sonatype Nexus versions 2.0 through 2.8.1 release notes are documented in this article.

Sonatype Nexus 2.9 and newer have individual release notes pages.

Sonatype Nexus 2.8.1 Release Notes

These notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.8.1.

See the complete release notes for all resolved issues.

New and Noteworthy

Temporary Directory Handled Consistently

It was possible that the temporary directory used by Nexus was indeterminate for some operations. The preferred default temporary directory was ${NEXUS_WORK}/tmp, but since that value cannot be reliably set by default before boot, Nexus now defaults the temporary directory used as ${NEXUS_HOME}/tmp. This may impact the disk space requirements for some installations. See the article discussing the temporary directory for more information. NEXUS-6595

Smart Proxy Performance Improvements

Working closely with our customers, we have identified some Smart Proxy performance issues in certain circumstances. Smart Proxy users should consider upgrading to benefit from these changes. NEXUS-6570,NEXUS-6600

Notable: Turn on strict URI matching in restlet

Nexus restlet now uses sctrict URI matching as the default.  This may impact the functionality of some third party plugins.  If you are using plugins not supplied by Sonatype you should test these against 2.8.1 before upgrading, it is possible (although unlikely) that REST endpoints in these plugins may not work correctly in 2.8.1.   NEXUS-6630

General Improvements


  • [NEXUS-6555] Bug SystemProperty not working in war-Deployment
  • [NEXUS-6352] Bug explicitly set not always respected and tmp dir not under nexus work
  • [NEXUS-6595] Bug Revert tmp dir handling, only use to set this value in wrapper.conf compatibility

Build Tooling,Staging

  • [NEXUS-6538] Bug nexus-staging-maven-plugin: proxying to https host fails with ProxyInfo and BaseUrl protocols does not align!


  • [NEXUS-6607] Bug CLM component details fails when going through authenticated http proxy


  • [NEXUS-6545] Bug request.log is rotated to NEXUS_HOME instead of NEXUS_WORK/logs compatibility
  • [NEXUS-6553] Improvement limit nexus.log time based log rolling to max history of 90 days instead of infinite compatibility


  • [NEXUS-6514] Improvement Add commercial license fingerprint value to the System Information report

Maven Repository

  • [NEXUS-6510] Bug ERROR log message from M2Repository - LocalStorageException FileAlreadyExistsException does not include root cause throwable
  • [NEXUS-6560] Bug uncompressed archives with HTML file as an entry can be rejected by file content validation

Maven Repository,Smart Proxy

  • [NEXUS-6600] Bug Expire cache walker blocks subsequent NFC expirations performance


  • [NEXUS-6530] Improvement Archive browser doesn't work for NuGet .nupkg packages

OBR,Smart Proxy

  • [NEXUS-6564] Bug OBR virtual repository metadata update fails when triggered by smart proxy download immediately


  • [NEXUS-6562] Bug Regression: File content validation still enabled for procurement, no way to disable
  • [NEXUS-6520] Improvement Remove procurement from trial eval guide


  • [NEXUS-6542] Bug Maven model classes are missing from xstream whiltelist configuration compatibility


  • [NEXUS-6539] Bug Forced Base URL value different from the incoming request URL can break UI / RESTLET based resources


  • [NEXUS-6630] Improvement Turn on strict URI matching in restlet
  • [NEXUS-6549] Bug Browse Storage/Index can block access to folders or files that start with "content"
  • [NEXUS-6554] Bug XSS vulnerability in outreach plugin
  • [NEXUS-6569] Improvement Add X-Frame-Options header to avoid clickjacking

Smart Proxy

  • [NEXUS-6570] Bug Smart Proxy download immediately option for checksum updates sends duplicate download requests for main artifact performance

Support Tools

  • [NEXUS-6241] Improvement Add end-user instructions for support ticket creation in Support Tools UI


  • [NEXUS-6526] Improvement add request context to to aid determining the root cause
  • [NEXUS-6501] Bug inbound request URL syntax validity should be checked and fail fast


  • [NEXUS-6582] Bug Yum Generate Metadata does not detect new rpms added on filesystem
  • [NEXUS-6583] Bug Yum Generate Metadata only allows a single RPM per Directory

Sonatype Nexus Professional 2.8.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.8.0.

See the here for all issues fixed in this release.

New and Noteworthy

Influence Nexus Product Development Using Analytics

As part of the process to help us make Nexus better, Administrators can optionally choose to send anonymous REST API usage data to Sonatype. This data will help us decide what features are most important to you and will influence product development for Nexus 3.0 and beyond. The data can be inspected and even exported for your own use as well.

To enable analytics on your instance go to "Administration/Analytics" in the Nexus UI.

Enhanced Sonatype CLM Integration

Nexus Professional now supports deep integration with Sonatype CLM.  Sonatype CLM users can see full component information containing popularity, license data, security vulnerabilities, and policy violations.  This information can be compared against all other available versions of a give component:


Detailed information about particular component versions can now be viewed directly in Nexus:


Note: You'll need to upgrade your CLM server to version 1.10.2 or higher to use this new functionality.  You can download the latest version here.

Repository Health Check Improvements

  • Simplified configuration of Repository Health Check
  • Health check can now be enabled for all types of proxy repositories supported by Nexus (Maven, P2, NuGet, OBR, Yum, etc.)
  • Improved UI in search results:



Bundled Jetty Configuration is Simpler and Extensible

Previously, Nexus only supported loading a single Jetty configuration file, typically at ${NEXUS_HOME}/conf/jetty.xml, to configure the builtin Jetty instance. Now Nexus can be launched with multiple Jetty configuration files as launcher parameters. This resembles the default configuration merging behaviour that Jetty users are used to. All files at ${NEXUS_HOME}/conf/jetty-*.xml can be used as is or customized with properties specified in NEXUS_HOME/conf/ More Information. NEXUS-6153

Request Access Logging Enabled by Default

Nexus now ships with inbound request logging enabled by default, logging to a separate log file than the main Nexus log. Access logs have proved very useful for our customers to diagnose problems and understand load characteristics. While these logs will consume additional disk space, log rotation can help ensure a reasonable retention policy. More information. NEXUS-6472

Note: Upgrades From Nexus 1.x to Nexus 2.8 Require Additional Upgrade Step

Sonatype Nexus is undergoing some major enhancements this year. As a preparatory step, automatic configuration upgrades from Nexus 1.x series to Nexus 2.8 and newer is no longer supported. Direct upgrade of Nexus versions 2.0 to 2.7.x continue to be supported. Upgrades of 1.x versions must first upgrade to the latest 2.7.x version, then upgrade to Nexus 2.8 or newer. NEXUS-6099

Internet Explorer 8 Support is Deprecated

IE 8 works with Nexus 2.8 with only a few minor issues. However Nexus 3.0 will be using a new version of our UI toolkit which does not support IE8.  Consequentially support for IE8 will be ending after the 2.8.x Nexus series is complete. More information. NEXUS-6330


General Fixes and Improvements


  • [NEXUS-6147] Improvement application properties source should print at DEBUG only


  • [NEXUS-6112] Task Upgrade to Sonatype/Sisu 2.5.0 (legacy runtime wrapper around Eclipse/Sisu 0.1.0) compatibility

Build Tooling,Staging

  • [NEXUS-6182] Improvement Add parallel build support to nexus-maven-staging-plugin
  • [NEXUS-6164] Improvement Add ability to disable SSL certificate checks to nexus maven plugins


  • [NEXUS-6269] Bug UI: Capabilities Admin gets 403 response trying to read Capability Types


  • [NEXUS-6154] Improvement add consistent log timestamps including timezone offset and ms resolution
  • [NEXUS-6102] Bug Replace dead MimeUtil2 with Apache Tika
  • [NEXUS-6153] Improvement allow inlining jetty.xml config files as nexus app parameters
  • [NEXUS-6319] Bug Typo in error message: "instantianate"


  • [NEXUS-6132] Bug nexus security diagnostic queries crowd realm even when it is not configured
  • [NEXUS-6243] Bug cache already exists "enterprise-ldap" when searching for crowd user

Maven Repository

  • [NEXUS-6298] Bug maven-metadata.xml file merged incorrectly


  • [NEXUS-6503] Improvement optimizations for large nuget repository databases with slow queries for latest version


  • [NEXUS-6311] Task Upgrade tycho dependencies in p2 for CLM compliance compatibility


  • [NEXUS-6485] Improvement Prefix file update of procurement repository can cause nexus startup to take an extremely long time performance


  • [NEXUS-6358] Bug ?describe outout no longer has "contained in repositories"


  • [NEXUS-6307] Improvement Print message in log if high-strength JCE is installed


  • [NEXUS-6277] Bug Requests to hosted repositories slow down linearly as group repository membership increases


  • [NEXUS-6306] Bug strip out invalid addressees out of staging emails before send attempt
  • [NEXUS-6242] Bug nexus-staging-maven-plugin fails with IllegalArgumentException: XPP3 pull parser library not present. Specify another driver.

Support Tools

  • [NEXUS-6276] Bug NullPointerException when switching to Log tab
  • [NEXUS-6472] Improvement Enable inbound request access logging by default

System Feeds

  • [NEXUS-6294] Bug timeline can leave index files in deleted state performance


  • [NEXUS-6236] Improvement Upgrade HttpClient to 4.3.x
  • [NEXUS-6221] Bug add context to log message "The target server failed to respond"

User Token

  • [NEXUS-6155] Bug Print error in nexus-m2settings-maven-plugin 1.5.x if it is used with Nexus 2.6 or earlier


  • [NEXUS-6271] Bug File content validation fails with empty zip file
  • [NEXUS-6491] Bug Nexus should not dump stack traces to end users
  • [NEXUS-5694] Improvement Add support to detect/register metrics healthcheck components
  • [NEXUS-6571] Bug LinkPersister#isLinkContent is invoked for attributes performance
  • [NEXUS-6572] Bug Add new "breadth first" walker traversal type to improve walker performance performance
  • [NEXUS-6320] Bug repository content index page links can reference incoming request host, port and path instead of forced base URL

Sonatype Nexus Professional 2.7.2

Important:  This release of nexus fixes a critical security issue (NEXUS-6315). Details about this vulnerability can be found here.

Bug Fixes

  • NEXUS-6139 - Evict unused proxied items task moves items to trash
  • NEXUS-6155 - Print error in nexus-m2settings-maven-plugin 1.5.x if it is used with Nexus 2.6 or earlier

  • NEXUS-6182 - parallel build support in nexus-staging-maven-plugin
  • NEXUS-6164 - allow disabling ssl certificate checks in nexus-staging-maven-plugin
  • NEXUS-6213 - Add file content validation for site.xml
  • NEXUS-6219 - rebuild metadata task rebuilds metadata on the same repository more than once during a single task run
  • NEXUS-6220 - Repository health check fails when using an HTTP proxy server with NTLM authentication.
  • NEXUS-6230 - Remove all unused snapshots fails with NPE in logs
  • NEXUS-6232 - prevent concurrent execution of createrepo against the same data
  • NEXUS-6234 - File content validation is enabled for procurement repositories, there is no way to disable it
  • NEXUS-6244 - Regression: Crowd plugin does not support nested group role mapping user privileges
  • NEXUS-6248 - Last-modified header wrong for archetype-catalog.xml of group repo
  • NEXUS-6249 - Wrong checksums cached for maven unique snapshots (sha1 and md5)
  • NEXUS-6250 - Not able to view remote internal (proxy) repository
  • NEXUS-6253 - LDAP timeout is logged at DEBUG
  • NEXUS-6258 - Path cache appears broken in customer configuration
  • NEXUS-6259 - Staging yum metadata capability can prevent loading of staging repositories
  • NEXUS-6315 - Security Vulnerability: REST API


Sonatype Nexus Professional 2.7.1

A critical security vulnerability (CVE-2014-0792) has been discovered by Sonatype in Nexus requiring immediate action. This vulnerability has been fixed in the 2.7.1 release.

A patch is also available which fixes this issue for all 2.x versions of Nexus.  Information about this can be found in  Nexus Security Vulnerably article.

Bug Fixes

  • NEXUS-6172 Indexing tasks can leave files present in (deleted) state until the next index read operation
  • NEXUS-6176 New describe page lost the group's not found reasoning.
  • NEXUS-6185 Timestamped M2 Snapshots should be consumable over M1 shadow
  • NEXUS-6189 Need a way to set session timeout duration in Nexus
  • NEXUS-6205 Update XStream
  • NEXUS-6206 Set userId in MDC on login, and unset on logout

Sonatype Nexus Professional 2.7.0-06

Bug Fixes

  • NEXUS-6168 Nexus 2.7 breaks nexus-ruby-plugin
  • NEXUS-6169 Nexus 2.7 now returns 501 instead of 405 for MKCOL, possibly breaking some wagons
  • NEXUS-6179 Requesting a folder which does not exist in a proxy repository's local storage causes a file to be created in storage.
  • NEXUS-6183 logger does not include timing information

Sonatype Nexus Professional 2.7.0-05

Bug Fixes

  • NEXUS-6150 Misleading message printed when IOException is thrown trying to lock nexus.lock file
  • NEXUS-6151 Nexus war edition will not start if work directory does not exist

Sonatype Nexus Professional 2.7.0-04

Bug Fixes

NEXUS-6149 ContentServlet depends on the presence of client certificates when accessed via https

Sonatype Nexus 2.7.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.7.0.

See here for a full list of all issues fixed in the 2.7.0 release.

New and Noteworthy

All Shipping Plugins are Installed by Default

Previous versions of Nexus Professional shipped with some plugins which were not installed by default. These were located in "$NEXUS_HOME/nexus/WEB-INF/optional-plugins", and installation required manually copying these over to the main plugin repository and restarting the server.  In Nexus 2.7, all plugins are installed by default.  The following plugins are affected:

* Note: The Unpack Plugin creates a special "content-compressed" REST endpoint which can be used to deploy zip files to a repository.  The URL looks like this: http://localhost:8081/nexus/service/local/repositories/releases/content-compressed. The files in the zip will be unpacked and deployed individually to the repository.

New Atlassian Crowd Plugin

We have completely rewritten the Atlassian Crowd Nexus plugin. It performs better, is more reliable and depends on current Crowd REST APIs under the hood. Upgrades of your previous crowd configuration should be handled seamlessly.

The plugin is already installed by default and configuration can be accessed via Security -> Crowd in the sidebar. Refer to the Sonatype Nexus Book Crowd Chapter for more information.

The plugin has been primarily tested with Crowd 2.5.5 and 2.6.5 at shipping time. Although the Crowd REST API used should work with Crowd versions as old as 2.1, users are encouraged to use this plugin with at least the tested versions of Crowd or newer. In particular, Atlassian Crowd releases earlier than 2.5.5 are known to have severe security vulnerabilities.

If you use a https URL to access your crowd server, you can now configure an SSL: Crowd Capability to explicitly manage the trust of the SSL certificate

New Support Tools

The old automatic problem reporting feature under "help/report problem" has been replaced with a new set of support tools.

Nexus now has a System Information report to show detailed information about the configuration and runtime environment of the Nexus instance.

A new option to generate a Support ZIP which can be sent to Sonatype support has been added.  This ZIP file is not encrypted so users can inspect the contents before providing it to Sonatype via a secure support site ticket at

New Logging UI

The logging UI has been completely rewritten, and now allows for setting log levels for individual java packages and classes through the UI.  It also has a new "mark" facility which can be used to add markers in the log. These markers help delineate where a problem was reproduced.

Note: The previous System Files feature has been removed and replaced by the new log viewer and Support Zip feature.

Authentication via Remote User HTTP Header

Nexus now supports external pre-authentication of users.  An HTTP header can be configured (such as REMOTE_USER) which contains a user ID which has already been authenticated by the external system. See the book for more information.

Legacy Startup Scripts Removed

The old startup scripts (located under $NEXUS_HOME/bin/jsw/$ARCH in the installation directory) have finally been removed.  These have been deprecated since Nexus 2.0. Users should use the new startup scripts introduced in Nexus 2.0, located in $NEXUS_HOME/bin (NEXUS-5781). The 'clickable' Windows batch files (*-nexus.bat) have remained, but the only use case for these are to be 'clicked' to perform a specific named action.

Work Directory is now Locked to Prevent Concurrent Access

The work directory is now locked to prevent simultaneous access by multiple Nexus instances. A sonatype-work/nexus/nexus.lock file is created containing the process id when Nexus is started, and deleted when Nexus is stopped (NEXUS-5306).

No Longer Possible to Disable Security

Previous versions of Nexus had a setting which completely disabled security.  This added unnecessary complexity to the system, and this has been removed.  If someone really wants to run Nexus without security this can be done by giving the anonymous user the Administrator role.

Custom Metadata is now Enabled/Disabled via Capability

In previous versions of Nexus the Custom Metadata Plugin shipped in "$NEXUS_HOME/nexus/WEB-INF/optional-plugins" because it can add additional overhead to large instances.  It is now shipped in the main plugin repository.  To enable it, go to "administration/capabilities" and add a new capability of type "Custom Metadata". If you were using it previously, you need to explicitly enable it after upgrade to keep using it.  Note that this is a one time requirement, the setting will persist through future upgrades.

Plexus Components Deprecated

Components in Nexus have been converted to JSR-330 and use of Plexus components have been deprecated.  Warnings will be logged on startup when Plexus components are detected.  Custom plugins should be updated as support for use of Plexus components will be removed in future version of Nexus (NEXUS-5755).

Deprecated Legacy API

Many legacy, unused, or soon to be removed API have been marked as deprecated.  These will be removed in future versions of Nexus.  Custom plugins should be updated to avoid usage of deprecated API.

Nexus Staging Maven Plugin Automatic Release

A new parameter has been added to the nexus-staging-maven-plugin, "releaseAfterClose".  When this is set the plugin will automatically release a staging repository after closing it provided that all staging rules (including CLM scans) have passed (NEXUS-5906).

Automatic Cleanup of old Build Promotion Repositories

The "Drop Inactive Staging Repositories" task has been enhanced to allow cleanup of build promotion repositories (NXCM-5226).

Enhanced UI for Tables

Most UI tables in Nexus can now support filtering of contents via UI search (NXCM-4490).

Improved Capabilities UI

Numerous improvements have been made to the capabilities UI, including the ability to group capabilities by any column (particularly useful is grouping by "category").  Also, there is a new tabbed interface which cleanly separates Summary, Settings, Status, and About (NEXUS-5940).

Nexus Branding Plugin Improvement

The Nexus Branding Plugin (which allows setting a custom banner in the UI) can now be configured via capabilities UI (NEXUS-5891). To set a custom banner in Nexus 2.7 go to "Administration/Capabilities" and add in a "Branding" capability. Previous custom banners should be detected automatically on upgrade.

Mirrors Tab Removed from Proxy Repositories

The old "mirrors" feature has been removed from proxy repositories and previous settings will be ignored (NEXUS-5789). Proxy repositories that had this configured will now fetch all artifacts, poms, metadata and checksums from the remote proxy directly.

Groovy Integration

Groovy support has been moved into the nexus-groovy-plugin and can now be used to write Nexus plugins in Groovy (NEXUS-5892). An example Nexus plugin written in groovy is our new Support plugin.

Performance Improvements
We've measured significant performance improvements processing staging repositories and checking permissions in some configurations. (NXCM-5448)

Significant Bug Fixes


  • [NEXUS-4697] - Add password text field
  • [NEXUS-5406] - [capabilities] Dynamic source for selections for combos
  • [NEXUS-5940] - Rewrite Capabilities UI
  • [NEXUS-5941] - Add support for tagging to capabilities
  • [NEXUS-6072] - Failure during capability load prevents the rest of capabilities to be loaded

CLM Integration

  • [NEXUS-6060] - CLM App Management link of profile editor leads to wrong URL
  • [NEXUS-6041] - Impossible to disable CLM from UI
  • [NEXUS-5942] - Make CLM Application ID a droplist which is populated from the CLM server
  • [NEXUS-5946] - Remove CLM config in favor of a capability
  • [NXCM-5402] - Nexus to CLM server https connections should be able to use Nexus SSL truststore

Crowd Integration

  • [NXCM-5432] - modernize Nexus Atlassian Crowd Plugin
  • [NXCM-5443] - Allow crowd plugin to use nexus private truststore for SSL certs
  • [NXCM-5499] - improve crowd configuration contextual help messages
  • [NXCM-5501] - if crowd realm is configured and active, but login does not need it, crowd server is still contacted


  • [NEXUS-5998] - Extremely inefficient mechanism used to retrieve LDAP users for notification
  • [NEXUS-6068] - Nexus problem reporting can reset ldap server bind passwords in memory to ***
  • [NEXUS-6081] - LDAP password are sent in clear text

  • [NEXUS-5870] - Provide a mechanism to allow additional LDAP environment variables to be set.
  • [NEXUS-4062] - Automatically add the LDAP security realm when user saves LDAP settings


  • [NEXUS-6085] - duplicate Nuget Api key buttons possible
  • [NXCM-5423] - Download NuGet Feed task reports success even if it receives an invalid response from remote server
  • [NXCM-5324] - Can't synchronize Nuget feed from if "fetch all versions" is checked.


  • [NEXUS-5930] - Nexus OBR shadow makes Nexus deadlock prone, while reading/writing obr.xml
  • [NEXUS-5995] - P2 repository plugin generates incorrect content.xml data for features
  • [NEXUS-5831] - [p2] serve jarred repository metadata
  • [NXCM-5431] - investigate httpclient 3.1 use in nexus-p2-bridge-plugin


  • [NEXUS-4945] - Concurrent modification exception in procurement
  • [NXCM-4752] - Artifact Procurement allows you to create repository cycles, results in stack overflow.
  • [NXCM-5409] - Newly deployed artifacts can be blocked from procurement by automatic routing
  • [NXCM-5515] - Procurment repository download fails if user does not have read privileges to source repo


  • [NEXUS-4997] - SMTP config panel uses "SSL" and "TLS" incorrectly
  • [NEXUS-2911] - Authentication error shows up as "400 bad request" during smtp validation.
  • [NEXUS-5808] - no indication at default log levels that email server configuration is broken


  • [NEXUS-5772] - File content validation broken on newer versions of Linux
  • [NEXUS-5789] - Remove proxy repository Mirrors feature
  • [NEXUS-5790] - Download speeds reduced in recent Nexus versions
  • [NEXUS-5811] - Browse remote storage incorrectly handles forced remote base url , preventing remote browse UI tree from expanding
  • [NEXUS-5838] - Repositories -> Browse Remote uses wrong URL on remote and gets HTTP/404
  • [NEXUS-5877] - Repository pop up in list has duplicate entries
  • [NEXUS-5944] - Repository is auto-blocked if "allow file browsing" is disabled on remote
  • [NEXUS-4207] - make default value of Publish URL "True" when creating a group repository
  • [NEXUS-4292] - Download button's URL should be copy-able (into mails, jira comments, ...)
  • [NEXUS-4737] - Add extra columns to the repository targets view

  • [NEXUS-5898] - Make connection request retry attempts work for connection reset exceptions
  • [NXCM-5422] - Nexus Archive Browser Plugin does not work with .bar files
  • [NXCM-4490] - Make repositories grid view filterable/searchable


  • [NEXUS-5807] - Automatic routing fails for grails repo
  • [NEXUS-6050] - Automatic routing warnings should include repository ID


Scheduled Tasks

  • [NEXUS-4580] - Empty trash task should allow specifying repositories
  • [NEXUS-5871] - Scheduled task drop down is not sorted
  • [NEXUS-5797] - Scheduled task to remove old unreleased snapshots
  • [NXCM-5226] - Add "include promoted repositories" option to staging repo cleanup task


  • [NEXUS-5798] - Out of service repositories should not be included in search results
  • [NEXUS-5814] - Nexus should not stop indexing if it encounters a jar file it cannot parse, but should report the jar location
  • [NEXUS-5817] - indexing operations which require remote repo access do not always respect blocked repo status
  • [NEXUS-5821] - Repositories view right-click menu Repair Index / Update Index items duplicated
  • [NEXUS-5799] - IndexCreators aren't ordered according to dependencies
  • [NEXUS-5909] - Move nexus-custom-metadata-plugin out of _optional-plugins_ to default installed plugins


  • [NEXUS-4219] - nexus is silent when it does not have permissions to update security.xml
  • [NEXUS-5826] - Sort the repository drop down list in "add/repository target privilege" alphabetically (without separating group repos)
  • [NEXUS-3119] - Show status (active/disbaled) of user in the list of users (in the Users panel)
  • [NEXUS-5490] - Add support for REMOTE_USER header
  • [NEXUS-5899] - Remove ability to disable security
  • [NXCM-4543] - Usertoken nameCode is leaking out into the UI

  • [NXCM-5233] - Introduce property to enable/disable session timeout from UI

Smart Proxy

  • [NEXUS-6069] - Smart Proxy: Connector capability cannot be created/updated if "Advertise" is not checked
  • [NXCM-4759] - Remove groovy, replace with javascript optional broker configuration


  • [NXCM-5448] - Extremely poor performance viewing staging repositories and checking permissions
  • [NEXUS-5974] - Staging operation on multiple repositories does not abort properly on failure
  • [NEXUS-6078] - race: DefaultFSLocalRepositoryStorage.getBaseDir Could not create baseDir during staging repository creation
  • [NEXUS-5906] - Add "releaseAfterClose" option to the nexus-staging-maven-plugin
  • [NXCM-3969] - Closing a staging repo fails when its repo group is missing with Server ERROR 500
  • [NEXUS-6051] - Poor error handling in staging.xml validation
  • [NXCM-5065] - vague user message on NullPointerException when nexus-staging-maven-plugin missing required parameters

  • [NXCM-5306] - Staging repository dropped from build promotion profile still shows "promoted" as last activity
  • [NXCM-5403] - nexus-staging-maven-plugin does not interact well with maven-site-plugin:attach-descriptor goal

  • [NXCM-5412] - Add an rc-list goal to the nexus-staging-maven-plugin
  • [NXCM-5415] - If staging UI upload fails because a matching profile cannot be found error message is confusing/misleading
  • [NXCM-5427] - add "Demote" activity to staging repository that was demoted from a promotion group repository
  • [NXCM-5516] - Expose timeout configuration on nexus-staging-maven-plugin (and ant tasks)
  • [NXCM-5451] - staging/bundle_upload transitioning conflict during concurrent processing can cause 500 status Staging repository is already transitioning


  • [NEXUS-5405] - Group Yum metadata not regenerated when a member proxy repository metadata changes
  • [NEXUS-5806] - Group level yum metadata is incorrect
  • [NEXUS-5842] - Yum Generate Metadata Task does not expose newly deployed RPMs after first metadata generation
  • [NEXUS-5795] - Cannot browse YUM repodata directory
  • [NEXUS-5820] - If base URL is set, but not forced, yum xml:base picks up URL of incoming deploy requests, not the base URL of server
  • [NEXUS-5829] - inconsistency on what type of repository you can run Yum: Generate Metadata against
  • [NEXUS-5955] - Automatic routing interferes with yum repo metadata
  • [NEXUS-5956] - Old yum metadata is never cleaned up from yum proxy repository.
  • [NEXUS-5957] - Yum proxy repository metadata is not refetched if request for it comes through a group repo
  • [NEXUS-6057] - Yum merge metadata capability cause Stack Overflow when repository is put Out of Service
  • [NEXUS-5507] - Yum metadata support for staging repositories.
  • [NEXUS-5794] - Add support for specifying yum groups file


  • [NEXUS-5348] - Purge timeline task should delete old files from 'persist'
  • [NEXUS-5822] - StackOverflowError when launching Nexus 2.6.0-05 on Java 8 b100+
  • [NEXUS-5828] - Nexus 2.6 breaks upgrade from Nexus 1.9.0 and 1.9.1
  • [NEXUS-5963] - System property http.proxyHost incompatible regular expressions, server wide
  • [NEXUS-5999] - PGP key server information configuration on settings page click links to configured URL
  • [NEXUS-5306] - Nexus should lock the work directory to prevent multiple processes using it
  • [NEXUS-5584] - Implement atomic writes for all files in the conf directory.
  • [NEXUS-5755] - Remove use of Plexus components in Nexus
  • [NEXUS-5891] - Make branding plugin configurable via capabilities, remove from "optional" plugins
  • [NEXUS-5781] - remove deprecated platform specific wrapper 'nexus' scripts
  • [NEXUS-5883] - Add order column so that sorting can be restored to default order
  • [NEXUS-5907] - Remove nexus-user-account-plugin (ie. user sign up plugin)
  • [NEXUS-5908] - Move nexus-unpack-plugin out of _optional-plugins_ to default installed plugins
  • [NEXUS-5981] - Remove from list of uses SKS Keyservers
  • [NEXUS-5993] - review File.mkdirs() usage, replace with Files.createDirectory(file.toPath()); to not hide IOExceptions
  • [NEXUS-6014] - Nexus should respect X-Forwarded headers by default
  • [NEXUS-6063] - update Nexus and components to use httpclient 4.2.6 to pick up SSL and NTLM related fixes
  • [NEXUS-5892] - Add groovy provider plugin
  • [NEXUS-5989] - If "application server settings (optional) is not checked than administration/server page can't be saved.
  • [NXCM-5292] - IE9 binary license file upload fails
  • [NXCM-5404] - outreach bundle content outdated, links don't work, and/or provide duplicate material

  • [NXCM-5439] - installing valid license with later license validity dates than currently installed license does not update Nexus status
  • [NXCM-5518] - PGP server configuration UI is missing

Sonatype Nexus Professional 2.6.4

Bug Fixes

  • NEXUS-5996 Staging operation on multiple repositories does not abort properly on failure
  • NEXUS-5969 Improve logging for signature validation failures
  • NXCM-5451 Staging/bundle_upload transitioning conflict during concurrent processing can cause 500 status Staging repository is already transitioning
  • NXCM-5518PGP server configuration UI is missing

Sonatype Nexus Professional 2.6.3

Bug Fixes

  • [NEXUS-5790] - Download speeds reduced in recent Nexus versions
  • [NEXUS-5828] - Nexus 2.6 breaks upgrade from Nexus 1.9.0 and 1.9.1
  • [NEXUS-5849] - Central prefix file is served through Artifactory, which results in non-central artifacts being blocked

Sonatype Nexus Professional 2.6.2

Bug Fixes

  • [NEXUS-5836] - Browse index tree does not work (this affects the procurement tree also)
  • [NXCM-5481] - nexus-healthcheck-oss-plugin 2.6.0/2.6.1 UI quality column does not load on repositories tab

Sonatype Nexus Professional 2.6.1

Bug Fixes

  • [NEXUS-5772] - File content validation broken on newer versions of Linux
  • [NEXUS-5799] - IndexCreators aren't ordered according to dependencies
  • [NEXUS-5806] - Group level yum metadata is incorrect
  • [NEXUS-5807] - Automatic routing fails for grails repository
  • [NEXUS-5814] - Nexus should not stop indexing if it encounters a jar file it cannot parse, but should report the jar location
  • [NXCM-5406] - nexus-maven-staging-plugin does not work with Maven 3.1.0
  • [NXCM-5418] - old official URL not handled by Nexus due to 301 redirect, causing Download NuGet Feed to fail
  • [NXCM-5424] - nexus-staging-maven-plugin fails with encrypted password
  • [NXCM-5429] - Regression: staging repository owner privileges don't work
  • [NXCM-5430] - age and popularity icons are missing for health check plugin
  • [NXCM-5436] - regression: User-Agent Nexus-Client/unknown on staging repository summary tab using nexus-staging-maven-plugin 1.4.5-1.4.6


  • [NXCM-5305] - Add staging rules which can prevent a release or promotion action from completing
  • [NXCM-5409] - Newly deployed artifacts can be blocked from procurement by automatic routing

Sonatype Neus Professional 2.6.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.6.0.

See here for a full list of all issues fixed in the 2.6.0 release.

New and Noteworthy

Support for Composite P2 Repositories

Nexus now supports composite style p2 group repositories.  Using these will greatly increase performance and decrease heap space requirements.  The old style group repositories have been deprecated, p2 users are encouraged to migrate.

Note that if you are using Eclipse 3.4 you will not be able to use the new group repositories, since that version of Eclipse does not support composite p2 repositories.

Support for Separate HTTPS and HTTP Proxy Servers

Support has been added for separate proxy servers for HTTP and HTTPS URL's.

Compatibility Notes

Java 6 Support EOL

Oracle's support for Java 6 ended in February 2013.  Consequentially as of version 2.6 Nexus now requires a Java 7 JRE to run.

Per-Repository HTTP Proxy Settings Removed

The HTTP Proxy settings under repository configuration have been removed.  Users should use the global HTTP Proxy settings under "administration/server" instead.

Old Startup Scripts are Deprecated

The old startup scripts under "<nexus_root>/bin/jsw/<os>/<architecture>" are deprecated, they will be removed in an upcoming release.  Users should use the new startup scripts under "<nexus_root>/bin/nexus" instead.

Significant Bug Fixes


  • NXCM-5314 - CLM proxy configuration needs to take into account http VS https
  • NXCM-5349 - Upgrade to latest CLM plugin


  • NXCM-5291 - rare license validation race condition can trigger random 403, 404 errors accessing /content or 402 payment required accessing UI/REST
  • NXCM-5309 - Bad message from Nexus staging when the product is not licensed


  • NXCM-5329 - /service/local/nuget/repo does not return 401 for group repos when user lacks privileges
  • NXCM-5419 - responds with 301, needs to be replaced with


  • NEXUS-5741 - content validation does not work on P2 repositories
  • NXCM-5392 - Old style p2 group which contains composite p2 group repo does not work
  • NXCM-5327 - Allow p2 group repository implementation to use composite repositories


  • NEXUS-2834 - Maven metadata is not rebuilt when deleting items from the UI
  • NEXUS-4766 - Building wrong Maven metadata for a classifier with dots
  • NEXUS-5526 - Proxy-Repository: client certificate authentication does not work anymore
  • NEXUS-5690 - Remove per repository http proxy configuration
  • NEXUS-5704 - 500 Internal Server Error when "If-None-Match" in header
  • NEXUS-5744 - S3 detection misses to find out remote type in some cases
  • NXCM-5202 - secure central: persistent AuthTokenFetcherImpl - failed to fetch authtoken SSLPeerUnverifiedException: peer not authenticated even after explicitly trusting certificate


  • NEXUS-5661 - Proxy repo prefix file does not include paths only available from local storage
  • NEXUS-5711 - Auto routing periodic update is chatty about unsupported repositories
  • NEXUS-5734 - Correct routing prefix file not generated for custom index

Scheduled Tasks

  • NEXUS-4546 - Snapshot remover does not remove deleted snapshot versions from g:a-level metadata files
  • NEXUS-5749 - Scheduled Tasks still disappears
  • NEXUS-5765 - NEXUS 2.5-04, strange error, probably durin removing old snapshots
  • NEXUS-5766 - Snapshot remover stops processing on ItemNotFoundException
  • NEXUS-5773 - Heavy spam and possible slowdown in batch processing of item deletions
  • NEXUS-5778 - Very long time of remove snapshots in Nexus 2.5
  • NXCM-5401 - Purge Timeline Task Config corrupted on load/save


  • NEXUS-5747 - Support packaging "bundle" by default for search
  • NEXUS-5764 - The is only used for the Repair Index Job and not for regular indexing.
  • NEXUS-5784 - NPE while fetching archetype catalog
  • NEXUS-5752 - Make NIO lucene indexes the default in Nexus


  • NEXUS-5728 - Wrong use of EHCache for EnterpriseCacheSessionDAO
  • NEXUS-5736 - Unable to programmatically set Privilege ID


  • NXCM-4792 - nexus-staging-maven-plugin should warn if it detects it is run against a non-clean target folder
  • NXCM-5308 - Wrong staging rules run during build promotion
  • NXCM-5331 - Regression: Staging profile GAV selection does not work in multi-module build.
  • NXCM-5297 - nexus-staging:promote should print the build promotion repository id that gets created
  • NXCM-5338 - Improve logging in staging, log high level actions in REST/Jetty thread


  • NEXUS-5705 - deleting a rpm artifact does not trigger Yum: Generated Metadata capability execution
  • NEXUS-5721 - Files with RPM extension (upper case) are not processed
  • NEXUS-5740 - rpm artifacts in .nexus/trash can be processed by createrepo tool


  • NEXUS-5742 - Problem reporting through authenticated http proxy does not work
  • NEXUS-5757 - Add tags to nexus-example-plugins for 2.4.0 and 2.5.0 releases
  • NEXUS-5763 - Rename the restlet plugin
  • NEXUS-5767 - metrics-logback-2.2.0.jar should be added to WEB-INF/lib in war file, like other logback jars
  • NEXUS-5780 - deprecate usage of platform specific wrapper scripts, remove in next release
  • NEXUS-5729 - Expose EHCache over JMX
  • NEXUS-5731 - Remove support for Java 6 - require Java 7 to run Nexus
  • NEXUS-5732 - Remove httpclient 3
  • NEXUS-5768 - is replaced by
  • NEXUS-5214 - I want to be able to specify separate default HTTP proxies for http and https
  • NEXUS-5714 - Split /status resource, make it as originally intended
  • NXCM-5346 - nexus-m2settings:download fails if password contains "!" character
  • NXCM-5325 - Allow RHC to use SSL certificates from the Nexus private keystore

Sonatype Nexus Professional 2.5.1

The 2.5.1 release of Nexus Professional contains an updated version of the CLM integration plugin.  There are no other changes/fixes in this release.

Sonatype Nexus Professional 2.5.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.5.0.

See here for a full list of all issues fixed in the 2.5.0 release.

New and Noteworthy

Grace Period for "Remove if Released" in Snapshot Cleanup Task

You can now specify a period of days to for Nexus to wait before it removes all snapshots from a released GAV.

New Scheduled Task to Remove Old Releases

A new scheduled task has been added which allows cleanup of old releases.  Please see our blog post about removing old releases for the intended use cases.

Removal of Per-Profile Staging Repository Limit

In prior releases of Nexus you could only have 1000 repositories associated with a given staging profile.  This limit has been removed.

Override Local Storage Location of Staging Repositories

It is now possible to override the disk storage location used for staging repositories.  See NXCM-1221 for details.

Compatibility Notes

Java 6 Support is Deprecated

Java 6 reached Official EOL on February 2013.  Since it is no longer receiving updates we are deprecating support for running Nexus with Java 6 in the 2.5 release, and will be removing it in the upcoming 2.6 release.

Ping and Startup Timeouts Disabled in Java Service Wrapper

The Java Service Wrapper ping and start up timeouts have been disabled. These timeouts are used to automatically restart the server if it appears to be hung. Over time we've found that use of these timeouts have two significant flaws:

  1. They often restart the server when it is not necessary
  2. When they restart the server it results in the loss of valuable diagnostic information

If you want to re-enable these you can do so by editing <nexus_root>/bin/jsw/conf/wrapper.conf and setting the "" and "wrapper.startup.timeout" to 390 and 300 seconds respectively.

Significant Bug Fixes


  • NXCM-5236 The nexus-clm plugin should respect insight scanner 'timeToReport' value


  • NXCM-5176 When nexus not running, and user submits license key, no message indicating what went wrong
  • NXCM-5181 Can't install new license into expired trial.
  • NXCM-5183 Nexus instance with expired non-trial license shows "to get started log in with admin/admin123"
  • NXCM-5184 Sub-Optimal license installation experience for new nexus pro installs
  • NXCM-5185 header license expiry message missing space


  • NXCM-5067 Enterprise LDAP may not be pooling LDAPS connections by default
  • NXCM-5165 LDAP Refresh button freezes Nexus UI


  • NXCM-5131 NuGet: expiration settings related to max age are editable but reset to zero when saved, item max age blanked


  • NEXUS-5225 p2-bridge produces loads of temp folders
  • NXCM-4485 P2 bridge should create temporary directories under tmp/p2-bridge directory
  • NXCM-4660 p2-bridge produces loads of temp folders
  • NXCM-5283 OBR Proxy repository broken after core change


  • NEXUS-2450 Maven2 to Maven1 ejb artifacts are served from **/jars/ directory instead of **/ejbs/
  • NEXUS-4306 metadata not updated when a release artifact is deleted
  • NEXUS-5511 Extend Core to improve reasoning when ItemNotFoundEx is thrown
  • NEXUS-5662 Log user ID in deleted artifacts message
  • NXCM-5187 Browse Remote does not work when expired remote ssl certificate is added to Nexus truststore
  • NXCM-5192 NPE when creating a proxy repo
  • NEXUS-5663 INFO - Repository out of service messages need context
  • NEXUS-5673 Shadow ItemNotFoundException when items deleted from master
  • NXCM-5219 Useless 'Repository out of service' log message


  • NEXUS-5621 Blocking routing rule omits "applied mappings"
  • NEXUS-5628 Automatic Routing prefixes.txt file does not contain Yum repository metadata
  • NEXUS-5698 S3 scraper fails to retrieve bucket list if response is truncated
  • NXCM-5188 Strict Checksum enforcement breaks Automatic Routing
  • NXCM-5222 prefix file discovery for secure central logs stack trace when missing auth token

Scheduled Tasks

  • NEXUS-3742 Grace period for remove if released snapshot cleanup
  • NEXUS-5607 Default values in snapshot removal task cause all snapshots to be deleted
  • NEXUS-5612 Undesired interaction between RecreateMavenMetadataWalkerProcessor and DefaultFSPeer
  • NEXUS-5629 Scheduled Tasks disapears
  • NXCM-4665 Scheduled Task to remove releases
  • NXCM-4979 Scheduled tasks disappearing
  • NEXUS-5682 Repeated log spam at DEBUG level attempting to delete checksum files while running Snapshot Removal Task


  • NEXUS-4599 /service/local/lucene/search docs indicate wrong result type
  • NEXUS-5641 nexus ignores lucene.fsdirectory.type in some cases
  • NEXUS-5658 NEXUS-5641 timeline plugin does not honour lucene.fsdirectory.type property
  • NXCM-4867 IndexerManagerEventInspector - Could not maintain index
  • NXCM-5047 Custom metadata not updated for deleted artifacts

Secure Central

  • NXCM-4859 Failed to fetch authtoken should not log stack trace


  • NEXUS-267 Enable sorting by column in the "security/users" table
  • NEXUS-5037 single quote symbol is accepted as user password but then does not work
  • NXCM-4361 Add salting to password hashing

Smart Proxy

  • NXCM-4761 Add error handler to cope with unexpected messages from non-compatible NX
  • NXCM-4958 Smart proxy preemptive fetch causes log spam when files deployed on remote don't match the release/snapshot repo policy


  • NXCM-5150 SSL:LDAP capability screen a bit unclear
  • NXCM-5163 "Load Certificate" buttons should not be enabled unless text field/area has content
  • NXCM-5146 Generic error message when smtp test fails due to untrusted cert

Staging/Build Promotion

  • NXCM-1221 Allow override of local storage for staging repositories.
  • NXCM-5122 NXCM-4906 Summary view is not scrollable
  • NXCM-5138 Canceling staging operation task while rule is walking results in "passed" rule
  • NXCM-5141 staging repository dates can display wrong timezone
  • NXCM-5153 Staging upload UI silently pushes into existing open directory
  • NXCM-5161 Staging upload over UI description is mandatory but unused
  • NXCM-5179 Get rid of arbitrary per profile 999 repository limit for staging profiles
  • NXCM-5189 Add support for plugins to contribute columns to staging repositories view
  • NXCM-5190 Add support for plugins to contribute fields to staging repository summary view
  • NXCM-5191 Add chiclet detail to staging summary and master grid column
  • NXCM-5194 nexus-staging-maven-plugin is not deploying maven-metadata.xml for maven-plugins
  • NXCM-5197 Warnings in log when running the "drop inactive staging repositories" task.
  • NXCM-5198 Cannot list staging repositories while "drop inactive staging repositories" task is running.
  • NXCM-5209 saving a staging profile with a target group that does not exist silently fails
  • NXCM-5210 hang performing staging and security operations
  • NXCM-5239 Addition of properties on staging repository DTO causing maven-plugin to fail (as well as older clients)
  • NXCM-5240 Addition of noSessionTimeout to /status causes staging maven-plugin to fail
  • NXCM-5302 Protect against staging.xml corruption


  • NEXUS-5483 help icons are missing for many form fields
  • NEXUS-5580 Confusing SMTP validation UI
  • NEXUS-5596 IE 10 Compatibility
  • NEXUS-5597 NEXUS-5596 dialog shadow rendering is not transparent
  • NEXUS-5598 NEXUS-5596 element warnings in console
  • NEXUS-5599 Block using IE7 or IE7 compatibility from using nexus UI
  • NEXUS-5613 Capabilities grid should default to sort by type
  • NEXUS-5614 Failed capability icon is same as disabled
  • NEXUS-5615 User profile summary requires "Last Name" but default configuration "admin" last name is blank
  • NEXUS-5672 NEXUS-5389 Extract ExtJS3 UI as a plugin
  • NEXUS-5667 Upgrade to ExtJS
  • NEXUS-5710 CSS does not load on content index pages


  • NEXUS-5702 Yum: Generate Metadata capability does not automatically execute on rpm upload when a Yum: Generate Metadata scheduled task is present


  • NEXUS-5420 Nexus email notifications should include a link back to the server that sent them
  • NEXUS-5468 http connection leak triggered by LocalStorageException
  • NEXUS-5585 Massive request if version check fails
  • NEXUS-5660 should be set by default in case Java 7+ or JMX is used with Nexus
  • NEXUS-5678 Disable ping timeout and startup timeout in wrapper.conf
  • NEXUS-5712 change logging pattern layout to include the full thread name by default

Sonatype Nexus Professional 2.4.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.4.0.

See here for a full list of all issues fixed in the 2.4.0 release.

Important: If you are making use of the Nexus Professional Staging/Build Promotion Suite read the compatibility notes below before upgrading to the 2.4.0 release.

New and Noteworthy

SSL Certificate Management

Previously, a Nexus which accessed remote servers that used SSL self-signed or client certificates required a Nexus administrator to manually install these certificates into a Java keystore/truststore using third-party command line tools. Detecting the cause of a connectivity problem in this case usually involved inspecting log files. This process was tedious and error prone.

Nexus 2.4 now provides a UI to manage SSL certificates for both repositories and LDAP servers. If access to a server is blocked due to an SSL certificate problem the UI will clearly show this. Using the new SSL certificate UI a Nexus administrator can inspect and approve the remote certificate, allowing Nexus to connect.

Automatic Routing

Nexus Professional's new Automatic Routing feature uses several new strategies to automatically detect the contents of remote proxy repositories so that it can avoid making unnecessary calls to their remotes. This results in a significant performance improvement for Nexus instances that contain multiple proxy repositories.

Staging: Improved Support for Long-running Operations

The staging repository UI and corresponding REST endpoints been reworked to provide feedback for close/promote/release operations that invoke long running staging rules.

Full documentation for the UI changes are available in the Repository Management with Nexus book.

The nexus-staging-maven-plugin has also been updated to properly handle long running staging rules.

Staging: Scheduled Task to Remove Inactive Staging Repositories

A scheduled task has been added which can remove staging repositories which are in open, closed, or promoted states and have been inactive for a specified number of days. See the Scheduled Taskdocumentation for more information.

New Nexus Maven Settings Plugin

The "settings-download" goal of the old nexus-maven-plugin has been replaced by a new Maven plugin, the Nexus M2Settings Maven Plugin. This completes the deprecation of the old "nexus-maven-plugin".

Compatibility Notes

Nexus Plugin for Maven Retired

The Nexus Plugin for Maven has been deprecated for the past few releases. Due to changes in the staging REST API it no longer works with Nexus 2.4.0. Users must use the new nexus-staging-maven-plugin and nexus-m2settings-maven-plugin instead.

Nexus Maven Staging Plugin and Nexus Staging Ant Tasks

If you are using the nexus-staging-maven-plugin you will need to upgrade the version in your pom files to 1.4.4.

If you are using the nexus-staging-ant-tasks you will need to upgrade to version 1.4.

Staging REST API Changes

Scripts which directly call the staging REST API may require changes.

  • close/promote/release/drop operations are now asynchronous. Drop operations, including nexus-staging:release with auto-drop enabled, are complete when the response code is 404. For other operations, a GET request to "/service/local/staging/repository/<repo-id>" that returns a 'transitioning" field value of false indicates the operation is complete.
  • the staging repository 'closed' field has been renamed and repurposed to an 'updated' field - meaning the last time an operation was recorded against the staging repository.

New Privileges Required to Access Staging Repository UI

The following privileges are now needed for access to the staging repository UI:

  • Staging: Rule Types (read)
  • Staging: Rule Set (read)

These privileges have been added in to the built in 'UI:Staging Repositories" role in the 2.4.0 release.

Significant Bug Fixes


  • NEXUS-5478 - LDAP Group ID's which contain "&" do not work
  • NEXUS-5679 - LDAP connection leak
  • NXCM-4885 - Enterprise LDAP UI is broken
  • NXCM-4977 - Enterprise LDAP user cache is hard coded to 100, and no override is set in ehcache.xml
  • NXCM-4998 - Use user ID sent to nexus as LDAP cache key, not user ID retreived from LDAP


  • NXCM-4890 - UI does not show when license has expired

Maven Repositories

  • NEXUS-3398 - Repository is blocked for config additions while downloading indexes
  • NEXUS-5418  - Maven repositories handles sha1/md5 files "as one" with main file, but is not locking them
  • NEXUS-5481 - display the reason a remote repository is auto-blocked in the ui
  • NEXUS-5505 - Nexus attribute mechanism causing collisions with platform special files
  • NEXUS-5521 - Repository groups are sorted in reverse order
  • NEXUS-5525 - Custom packaging types do not show up in index after deployment
  • NEXUS-5539 - Refresh of Nexus Managed Repositories list clears list
  • NEXUS-5556 - Bookmarkable URLs no longer work in repository view
  • NEXUS-5606 - Deleting an artifact should delete it's md5 and sha1 too
  • NXCM-4968 - Maven Dependency display broken
  • NXCM-4994 - Nexus managed repo disappears from list after deleting file


  • NXCM-4861 - Could not acquire exclusive lock on repository procured in 60 seconds


  • NEXUS-5517 - Latest fields are filled in only when "collapse" happens of search result
  • NEXUS-5542 - Update index task fails if one of the processed repositories gets a SocketTimeoutException
  • NEXUS-5570 - Unintialized variable in LockingIndexingContext can cause NPE during search
  • NEXUS-5577 - Update to maven indexer 5.1.1


  • NEXUS-5520 - Role management UI gets duplicated
  • NXCM-4941 - Render problem for Access User Token in Chrome

Staging/Build Promotion

  • NXCM-4780 - build promotion that takes long time and has rule failures does not display rule failures to ui
  • NXCM-4786 - staging repositories list does not always show promoted repositories
  • NXCM-4805 - when error on nexus deploy due to bad url, print the url
  • NXCM-4900 - Nexus should not allow a user to delete a staging profile that has repositories associated with it.
  • NXCM-4901 - Misleading "Missing MD5" message when staging checksum validation fails
  • NXCM-5025 - Staging release incorrectly fails with access denied exception
  • NXCM-5205 - Changing the repository target of a staging profile that has promoted repsitories causes them to be dropped.
  • NXCM-5045 - Release fails if requestor e-mail address can't be found
  • NXCM-5175 - If staging fails due to too staging repository limit being hit no message is logged


  • NXCM-4431 - Finalize deprecation of nexus-maven-plugin.
  • NEXUS-5506 - New REST API documentation is extremely difficult to navigate
  • NEXUS-5549 - Wrong NexusApplication log level
  • NEXUS-5480 - Wrong Mount Points in API docs

Known Issues

  • NEXUS-5628 - Automatic Routing prefixes.txt file does not contain Yum repository metadata

Sonatype Nexus Professional 2.3.1

Bug fixes in this release:

  • NEXUS-5491 - Entering username/password for proxy settings in a repository cause clearning of all values on save
  • NEXUS-5517 - Latest fields are filled in only when "collapse" happens of search result
  • NEXUS-5521 - Repository groups are sorted in reverse order

Sonatype Nexus Professional 2.3.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.3.0.

See here for a full list of all issues fixed in the 2.3.0 release.

New and Noteworthy

Support for Hosted and Group Yum Repositories

  • Any hosted Maven 2 repository in Nexus can be configured to act as a Yum repository
  • Yum repositories are automatically updated if you upload/deploy/delete a new RPM into Nexus.
  • Full group repository support so that you can logically group a set of Yum repositories behind a single URL.
  • Use Yum group repositories as target of staging repositories

Revamped Search/Index

The search/index feature has been been re-architected to address many long standing issue. Nexus search indexes are now faster, more reliable, and scales significantly better

Smart Proxy Enhancements

  • Support for delete events
  • Full support for staging drop/close/release (messages for individually affected artifacts, so preemptive fetch will work)

Improved solution for overriding/adding MIME Types

By default when Nexus downloads files into proxy repositories it validates that the downloaded file's contents match what is expected based on the file's MIME type.

This works well for most normal file types, but occasionally you may find that you need to make Nexus aware of new MIME types, or change one of the built in definitions.

Nexus 2.3 contains a new feature which allows you to do this. For information on how to use this feature see here.

Plugin Compatibility Notice

A focus of the 2.3 release was updating the versions of libraries shipped with Nexus to pick up bug fixes, security fixes, and performance improvements. As a result there have been significant changes in versions of libraries shipped with Nexus 2.3, and also a few plugin API changes. If you have developed (or make use of) a Nexus plugin which is not distributed with Nexus you should validate that it works with the 2.3 release.

Miscellaneous Compatibility Notes

  • Due to NEXUS-5218 Nexus sets the "" system property. If you need IPv6 support add "" into the "<nexus_root>/conf/" file.
  • The checksum Java applet has been removed NEXUS-5361.

Significant Bug Fixes

Maven Repositories

  • NEXUS-4864 Nexus makes impossible to proxy Flex SWC artifacts
  • NEXUS-5197 NPE in member change detection
  • NEXUS-5257 Remote Browsing does not respect non-proxy hosts in http proxy settings
  • NEXUS-5258 Newly added proxy repositories has rrs/provider field filled in
  • NEXUS-5382 hostname with _ char in it breaks browse remote tab
  • NEXUS-5400 Rebuild metadata task moves temporary upload files to the trash
  • NEXUS-5414 Snapshot remover can be run against proxy repos, it removes snapshots and rewrites the cached metadata files


  • NXCM-4745 Protect against page cycles when proxying NuGet feeds
  • NXCM-4816 NuGet gallery resource doesn't pick up base URL of server


  • NXCM-4561 Invalid configuration after deleting repo which is procurement source
  • NXCM-4798 Procurement rules are not applied when procurement repository is in a group


  • NXCM-4714 Maven indexer can prevent Nexus from shutting down cleanly ( Nexus836OOSRepoReindexTaskIT )
  • NEXUS-5271 Indexer leaves behind temp directories

Secure Central

  • NXCM-4781 Retrieval of Secure Central authorization token fails through http proxy


  • NXCM-4520 Malicious staging rules can inject bad html

Staging/Build Promotion

  • NEXUS-5396 "411 Length Required" when using nexus-staging:close and other Nexus client operations with nginx
  • NXCM-4557 Thread starvation in indexer/staging
  • NXCM-4570 Exception on sending emails during promote/drop staging stops the flow
  • NXCM-4779 deadlock in org.sonatype.sisu.goodies.eventbus.internal.guava.SynchronizedEventHandler


  • NEXUS-3442 Lots of "An exception occurred writing the response entity: null" in the log
  • NEXUS-3728 Nexus (JSW) shell script improperly uses su command
  • NEXUS-4877 using a "&" symbol in the password filed of nexus corrupts password for the user account
  • NEXUS-5169 Improved solution for adding/overriding MIME type mappings
  • NEXUS-5233 Private Sun system property "" is used in wrapper.conf
  • NEXUS-5294 Add visual clue that a user is read-only
  • NEXUS-5360 Update to ExtJS3
  • NEXUS-5413 RedirectToHttpsRule spams log with thousands of messages
  • NEXUS-5417 capability plugin : RegexpFieldValidator inverse logic
  • NXCM-4530 Fix logging of NoSuchRepositoryException
  • NXCM-4546 Example jetty configurations need updating to match official jetty.xml

Sonatype Nexus Professional 2.2.1

Bug fixes in this release:

  • NXCM-4781 - Retrieval of Secure Central authorization token fails through http proxy

Sonatype Nexus Professional 2.2

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.2

See here for a full list of all issues fixed in the 2.2 release.

New and Noteworthy

Secure Access to Maven Central

Sonatype is now offering secured SSL access to Maven Central. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

New installations of Nexus Professional will have secure access to central enabled by default. Upgrades to Nexus Professional 2.2 can be converted to use the new service by simply by changing the central URL to

For information on obtaining this service for Nexus Open source or other repository managers visit the Secure Access to Central site.

Note: This service requires that the JRE running your repository manager has unlimited strength JCE installed.

Note 2: We're seeing evidence that a few HTTP proxy servers may be rejecting the request Nexus Professional makes for the authorization token. If you are experiencing a problem accessing this service please file a ticket at httts:// and we will provide you with a token. We'll be fixing this issue soon.

Deferred Snapshot Deploy in Multi-Module Builds

The nexus-maven-staging-plugin has been enhanced to allow deferred deployment of snapshots from multi-module Maven builds. Deployed snapshots are held in a temporary location until all module builds have been completed successfully, and are deployed together. This enhancement gives transactional behavior to multi-module snapshot builds, either all modules are deployed or none are.

Hosted Site Repositories in Nexus Community Edition

Nexus Community Edition now has support for hosted site repositories.

Significant Bug Fixes

Enterprise LDAP

  • NXCM-4524 Improve handling of intermittent LDAP failures
  • NXCM-4758 LDAP connection timeouts are not being cached


  • NXCM-2795 OBR groups do not work properly if they contain more than on hosted repository
  • NXCM-4715 P2 mirrors does not work for composite repositories with only 1 member repository


  • NXCM-4630 Procurement repository unusable while it is rebuilding rules

Smart Proxy

  • NXCM-4159 Preemptive fetch in smart proxy
  • NXCM-4529 Smart proxy connection doesn't pick up changes to remote URL in proxy repo configuration
  • NXCM-4626 Smart Proxy Issue with Nuget Repos


  • NXCM-4447 nexus-staging-maven-plugin deploy does not explain deploy failure context to Maven user
  • NXCM-4500 Staging rule set description doesn't handle multibyte characters properly
  • NXCM-4508 Wrong case displayed for staging repository name in user interface
  • NXCM-4550 staging promotion should fail with more specific error when a non-existent promotion profile is specified
  • NXCM-4567 NPE in nexus-staging when switching to direct deployUrl
  • NXCM-4580 Staging repository reappeared after promotion.

User Token

  • NXCM-4731 User Token link gives 404 dialog when clicked
  • NXCM-4742 User Token UI won't load due to 404 error


  • NEXUS-3424 Nexus prints stack trace to log when remote repo doesn't have an index.
  • NEXUS-5192 Improve efficiency of Nexus Index tree
  • NEXUS-5249 Update Indexes task stops processing on RemoteItemNotFoundException
  • NEXUS-5280 DefaultIndexerManager make wrong use of ContextMemberProvider when working with groups


  • NEXUS-4692 Make HTTPClient 4.1 the default transport in Nexus
  • NEXUS-5228 Regression: Browse local storage tree gives 404 error message for maven-metadata.xml
  • NEXUS-5291 RemoteRepository implementations performance: HC3x vs HC4x

Miscellaneous Fixes

  • NEXUS-5158 When anonymous access is disabled just bring up the login dialog automatically, don't show a warning.
  • NEXUS-5184 #include wrapper-override.conf directive should be removed since it is unreliable
  • NEXUS-5216 Nexus Archetype plugin produces invalid catalog for non-searchable repos
  • NEXUS-5241 Checksum and metadata deploys are being recorded in system feeds, causing them to grow very large
  • NEXUS-5246 Stop using 301 Redirection Permanent and switch to 307 Redirection Temporary instead in REST Resources
  • NEXUS-5265 remove artifactory bridge from nexus bundles

Sonatype Nexus Professional 2.1.2

Significant bug fixes in this release:

  • NEXUS-5205 - Nexus doesn't trim e-mail adresses anymore
  • NEXUS-5219 - Empty trash task fails
  • NXCM-4502 - Latest NuGet package explorer ( ) doesn't work with Nexus.
  • NXCM-4544 - JS error when loading profile tab when auth required
  • NXCM-4547 - POST, GET staging maven plugin operations do not respect Maven configured proxy settings
  • NXCM-4550 - Staging promotion should fail with more specific error when a non-existent promotion profile is specified
  • NXCM-4555 - Usertoken queries status as soon as js loads
  • NXCM-4582 - NPE when proxying internal NuGet repo

Sonatype Nexus Professional 2.1.1

Bug fixes in this release:

Sonatype Nexus Professional 2.1

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.1.

See here for a full list of all issues fixed in the 2.1 release.

New and Noteworthy

New Staging Suite

The Nexus Staging Suite has been completely revamped in Nexus 2.1.

Major new features include:

  • Selection of staging profiles by ID from within the build
  • Atomic Deply - All artifacts from multi-module builds are uploaded together as a single entity only after everything has been successfully built
  • Automatic closing of staging repository at the end of a build
  • Tags can be added to staging repositories, these will be preserved on the staged artifacts in Nexus throughout their lifecycle.
  • Local disk staging of artifacts to allow additional testing before they are uploaded to Nexus
  • Support for staging from ANT builds, and a REST API which allows other staging clients to be easily built
  • Automatically drop a staging repository if build fails
  • Automatically promote a staging repository if build succeeds.

User Token Authentication

When using Apache Maven with Nexus, the user credentials for accessing Nexus have to be stored in clear text in the user’s settings.xml file. Maven does have the ability to encrypt passwords in a user's setting.xml,
but since the encryption is reversible it isn't truely secure. This lack of security is of particular concern when nexus is configured to use external authentication such as LDAP.

To solve this problem Nexus 2.1 introduces a two part token for the user, which can replace their regular credentials.

See the Nexus Book for more information about these new features.

Significant Bug Fixes

Maven Repositories

  • NEXUS-4275 - If index download fails due to error then "download index" task should end in "broken" state.
  • NEXUS-4918 - Nexus is generating invalid maven-metadata.xml artifactt GA lavel
  • NEXUS-4970 - Nexus Maven metadata merge operation should not throw errors on corrupt metadata
  • NEXUS-5023 - When downloading .ear or .war file, the browser thinks the extension is zip
  • NEXUS-5043 - the ~ character is not properly decoded when deployed using maven 3
  • NEXUS-5145 - NPE when reusing same repository id for a proxy

NuGet Repositories

  • NXCM-3904 - Usability issue with NuGet: API keys are shown when key security realm has not been added.
  • NXCM-3964 - Add support for the new NuGet "FindPackagesById"FindPackagesById data service

p2 Repositories

  • NXCM-3914 - Newly created P2 proxies eagerly loading of remote repository's repository-metadata.xml files from mirrors can delay proxy metadata creation
  • NXCM-4053 - UID deadlock when accessing p2 metadata
  • NXCM-4391 - OOM is causing a deadlock in P2 Proxy Repository
  • NEXUS-5104 - P2 plugin proxy repository does not obey "local only" flag in requests

Repositories (general)

  • NEXUS-4064 - Turning off "publish url" for a repository causes most context menu items in repository view to disappear.
  • NEXUS-4855 - Repository registry becomes a CPU hog when registrytry contains a lot of repositories, and does too much
  • NEXUS-4871 - Attribute storage should discard empty attribute files
  • NEXUS-4878 - When deleting repositories if there are dependencies you get an awful error message giving a bad request
  • NEXUS-4984 - Zero length checksum file causes artifact to be rejected when checksum policy is "Warn"
  • NEXUS-5109 - NFC is inherited by different repositories having same repoID

Scheduled Tasks

  • NEXUS-4465 - Next run is wrong for scheduled tasks usingng advanced cron expression
  • NEXUS-4862 - Snapshot remover shouldn't stop processing if it encounters a zero length file.


  • NXCM-4274 - Credential time outs
  • NEXUS-5040 - Role cannot be edited if it contains a privilege contributed by a plugin which has been removed
  • NEXUS-5048 - Multibyte characters are not handled correctly in user administration screen.
  • NEXUS-5064 - LDAP connection pool doesn't work with SSL
  • NEXUS-5122 - ConcurrentModificationException in security XmlRolePermissionResolver

Security Vulnerabilities

  • NXCM-4061 - Investigate and resolve security vulnerabilities in Nexus 2.0.x branch identified by Insight scan
  • NXCM-4477 - Disable logging capability due to security vulnerability in XML external entity reference
  • NEXUS-5031 - Upgrade to latest Jetty 7.x to solve known denial of service security vulnerabilities

Smart Proxy

  • NXCM-3750 - Changes to group config are not propagated to subscribers
  • NXCM-3747 - Recursive events sent to subscriber for delete events
  • NXCM-3872 - Smart proxy broker database that is not accessible due to file permissions can prevent startup of nexus
  • NXCM-3795 - ConcurrentModificationException after reaching Broker memory limits
  • NXCM-4516 - Smart proxy expire cache isn't working.


  • NXCM-1269 - Can't see all failures in staging rules dialog (it needs a vertical scrollbar).
  • NXCM-2874 - Add a role to Nexus which includes all privileges needed to deploy/release/promote for a staging profile.
  • NXCM-3133 - only the staging bundle deployer or someone w/ a special preventivilege should be able do drop a staging bundle
  • NXCM-3526 - staging repos table - sorting by date sorts literally
  • NXCM-3768 - Staging release replaces metadata then rebuilds it
  • NXCM-4381 - Add deprecation logging message to old nexus-maven-plugin goals
  • NXCM-4476 - Staging descriptions that have multi-byte characters don't show up in e-mails.

Miscellaneous Fixes

  • NXCM-3876 - Maven Settings template ID has poor UI validation resulting in Server http 500 400 errors
  • NXCM-4191 - Custom metadata support for multiple n3 files
  • NXCM-4433 - Can't install binary license file using Chrome 20
  • NXCM-4475 - Runtime Exception starting Nexus 2.0.6
  • NEXUS-4863 - Nexus Plugin Manager matches plugin interdependencies by GA only on loaded plugins
  • NEXUS-4905 - Files not ending in "pom" or "jar" don't show up in "newly cached files" system feed
  • NEXUS-5018 - Project generated from nexus plugin archetype doesn't compile
  • NEXUS-5185 - Add context menu to main tabs so that they can be mass-closed

Sonatype Nexus Professional 2.0.6

Bug fixes in this release:

  • NXCM-4372 - Nexus running in '/' breaks licensing redirection
  • NXCM-4374 - "upload a license file" link doesn't work in IE9
  • NEXUS-5096 - Security should cache created WildcardPermission objects, not recreating them over and over again
  • NEXUS-5099 - Memory leak in attributes upgrader when running against virtual M1 -> M2 repo

Sonatype Nexus Professional 2.0.5

New and Noteworthy

This release has added support to streamline the initial Nexus experience for new users. Please visit the Nexus Evaluation Guide site for more information.

Significant Bug Fixes

General Improvements

  • NXCM-4111 - Regression: When metadata expires for p2 proxy repository the metadata is always downloaded and processed again
  • NXCM-4112 - MimeDetector is not picking up NuGet specific
  • NXCM-4164 - Regression: Crowd security realm is picking up global http proxy settings
  • NXCM-4175 - Poor performance for requests coming into procurement repository
  • NXCM-4226 - NuGet FindPackagesById service generates incorrect 'next' query links


  • NEXUS-5049 - Anonymous disabled, but still can log in

A full list of all issues fixed in Nexus Professional 2.0.5 can be found here.

Sonatype Nexus Professional 2.0.4-1

Bug fixes in this release:

  • NEXUS-5035 Regression: Performance degradation when sending error responses

Sonatype Nexus Professional 2.0.4

New and Noteworthy

This release has added additional links to documentation and support resources including links to the Sonatype Knowledge Base in an effort to add more paths for users to take advantage of relevant documentation.

Significant Bug Fixes

General Improvements

  • NXCM-4047 - NuGet version column should sort by numeric grouping rather than the default
  • NXCM-4084 - Add Insight security and license information to artifact search results


  • NEXUS-5032 - XSS vulnerability in /artifact/maven/resolve REST endpoint
  • NEXUS-50321 - Upgrade to latest Jetty 7.x to solve known denial of service security vulnerabilities

A full list of all issues fixed in Nexus Professional 2.0.4 can be found here.

Sonatype Nexus Professional 2.0.3

Bug fixes in this release:

  • NXCM-3972 - Modify NuGet REST endpoint so it checks read privilege instead of view privilege
  • NXCM-3963 - Deadlock in p2 group repository
  • NXCM-3952 - NuGet database lock-file may stay around after shutdown if the computer's IP address changes while Nexus is running

Sonatype Nexus Professional 2.0.2

Bug fixes in this release:

  • NXCM-3938 - Newly published "p2.index" file is causing proxies of update site to fail.
  • NXCM-3946 - Wrong URL is returned from "/service/local/ldap/servers" REST resource.
  • NXCM-3947 - NuGet plugin does not return expected 401 when anonymous user with no read privileges accesses the gallery

Sonatype Nexus Professional 2.0.1

Bug fixes in this release:

  • NXCM-3917 - NuGet tab does not need to fetch the repository configuration
  • NXCM-3916 - P2 proxy repository fails to connect to remote if HTTP proxy server is configured.
  • NXCM-3910 - window title should match more closely to product title
  • NXCM-3871 - Admin user mapped in through LDAP group mapping cannot log in after license has expired.
  • NXCM-3004 - Mirrors fail to download properly for Indigo update site

Sonatype Nexus Professional 2.0

These release notes are a compilation of new features, system requirements, and significant bug fixes specific to Sonatype Nexus Professional.

See the Sonatype Nexus OSS Release Notes for the corresponding changes in the base product.

A full list of all issues fixed in Nexus Professional 2.0 can be found here.

Nexus Professional can be downloaded through the Sonatype Nexus Professional Download page.

Important Upgrade Notes

Important: Please read over the release notes carefully and refer to the instructions on Upgrading Nexus.  The upgrade process has changed notably.

Memory Requirements

Nexus 2.0 requires more JVM heap memory than previous versions by default. The JVM Perm Gen settings have been increased to 192MB to allow for this. This is primarily due to the newly added Smart Proxy and NuGet features. If you do not plan to use enable these features, Nexus's memory requirements will be reduced.

  • NXCM-3880 - Bump perm gen space in wrapper to 192Mb

New and Noteworthy

NuGet Support

With the recent creation of the NuGet project a package management solution for .NET developers has become available. Similar to Maven dependency management for Java developers, NuGet makes it easy to add, remove and update libraries and tools in Visual Studio projects that use the .NET Framework.

Starting with version 2.0 Sonatype Nexus Professional has full support for NuGet Repositories, including hosted, proxy, virtual, and group repositories.

Related User Stories:

  • NXCM-3482 - Investigate support for NuGet repositories
  • NXCM-3537 - Enhancements to basic NuGet support

Nexus Smart Proxy

Nexus Professional 2.0 includes a distributed eventing mechanism called Smart Proxy.

Smart Proxy is built on a secure and reliable messaging layer that enables Nexus repositories to communicate event information (e.g. a new artifact has been uploaded).
This reliable delivery of event information and the resulting awareness by subscribing Nexus instances enables customers to build out deployment topologies that can achieve higher levels of availability and resiliency.

This means a number of geographically distributed Nexus instances are now able to operate as a more cohesive repository network. This cohesion will expand as we continue to add other services that leverage the new awareness the messaging and eventing fabric provide.

For more information how this important new feature can improve your Nexus topology, refer to the Nexus Book.

Related User Story: NXCM-3485 - As a user I need a proxy repository which works properly running against remotes that have frequent updates

Insight Repository Health Check Plugin (Pro)

Repository Health Check is a feature of Nexus that facilitates data used for Sonatype Insight. Sonatype Insight is a separate product that consists of tools to monitor and manage license, quality and security data about artifacts used in your software development life cycle.

Repository Health Check provides access to a subset of the available data in Sonatype Insight right in your Nexus server. This service provides information about artifacts Nexus has downloaded from Maven Central, including license information, security vulnerability data and other statistics.

User Interface Improvements

A fresh look consistent with other Sonatype products.

See Sonatype Nexus OSS 2.0 Release Notes for a summary of additional changes affecting the user interface.

Significant Bug Fixes

This list contains other significant new features and bug fixes in Nexus 2.1. See here a complete list of all issues fixed in Nexus 2.1.

General Improvements

  • NXCM-2928 - Noise on update sites in Nexus logs
  • NXCM-3616 - nexus-p2-plugin prints a ton of log on nexus startup
  • NXCM-3627 - Procurement repository auto-blocks if "remote" throws an access denied exception
  • NXCM-3643 - Change name of "Maven Central" proxy to "Central"
  • NXCM-3690 - Remove the google code proxy repository from the default configuration
  • NXCM-3737 - Left navigation menu cleanup
  • NXCM-3503 - The way custom metadata indexes are laid out in "indexer-pro" directory can cause collisions.
  • NXCM-3666 - Change log level of org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter to INFO
  • NXCM-3676 - Provide option (via system property) to prevent staging deploy from failing if a user doesn't have access to a profile in the list.


  • NXCM-2974 - Nexus doesn't seem to handle entities in ldap username correctly
  • NXCM-3025 - Authentication caching is not working for crowd security realm.
  • NXCM-3645 - Anonymous user can access unexposed repositories in Nexus
  • NXCM-3647 - Regression: Security Flaw: Reflected XSS on the Resolve Page in Nexus (AVT 27069)
  • NXCM-3600 - Anonymous user can delete artifacts from open staging repositories.

Performance and Robustness

  • NXCM-3514 - Concurrent modification exception in staging.
  • NXCM-2976 - Dropping a staging repository can cause an unrelated deploy to fail due to concurrent modification exception.
  • NXCM-3477 - Corrupt license access database causes server to fail startup
  • NXCM-3011 - Use batch inserts for License report DB to improve performance
  • NXCM-3492 - Proxy Attribute storage is slow and unreliable.
  • NXCM-3732 - License access file causes excessive CPU usage on RSO

P2 and OBR plugins

  • NXCM-3606 - Switch to OSS versions of the OBR and P2 nexus plugins
  • NXCM-3465 - Use the open source version of the OBR plugin in pro
  • NXCM-3516 - Use the open source versions of the P2 plugins in pro
  • NXCM-2947 - P2 proxy repository which goes through ISA http proxy fails
  • NXCM-3339 - Allow p2 repository group still working even if one repo is not available
  • NXCM-3608 - Need a upgrade path from Nexus PRO 1.9.x to Nexus PRO 1.10/2.0 (OBR + P2)
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk