This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/zeppelin-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 9ce889f45 Automatic Site Publish by Buildbot
9ce889f45 is described below
commit 9ce889f45d1fb8ff893c67cc20eb2e4e1349c450
Author: buildbot <[email protected]>
AuthorDate: Sat Feb 17 13:54:40 2024 +0000
Automatic Site Publish by Buildbot
---
output/atom.xml | 2 +-
output/rss.xml | 4 ++--
output/security.html | 8 +++++++-
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/output/atom.xml b/output/atom.xml
index 4d96d5daf..409e307c7 100644
--- a/output/atom.xml
+++ b/output/atom.xml
@@ -4,7 +4,7 @@
<title>Apache Zeppelin</title>
<link href="http://zeppelin.apache.org/"; rel="self"/>
<link href="http://zeppelin.apache.org"/>
- <updated>2024-02-17T13:47:34+00:00</updated>
+ <updated>2024-02-17T13:54:32+00:00</updated>
<id>http://zeppelin.apache.org</id>
<author>
<name>The Apache Software Foundation</name>
diff --git a/output/rss.xml b/output/rss.xml
index 58738e685..a78c62a0f 100644
--- a/output/rss.xml
+++ b/output/rss.xml
@@ -5,8 +5,8 @@
<description>Apache Zeppelin - The Apache Software
Foundation</description>
<link>http://zeppelin.apache.org</link>
<link>http://zeppelin.apache.org</link>
- <lastBuildDate>2024-02-17T13:47:34+00:00</lastBuildDate>
- <pubDate>2024-02-17T13:47:34+00:00</pubDate>
+ <lastBuildDate>2024-02-17T13:54:32+00:00</lastBuildDate>
+ <pubDate>2024-02-17T13:54:32+00:00</pubDate>
<ttl>1800</ttl>
diff --git a/output/security.html b/output/security.html
index 55186bdb5..e4869e211 100644
--- a/output/security.html
+++ b/output/security.html
@@ -165,6 +165,12 @@ available to trusted users, and the server on which
Zeppelin is
installed does not contain any secrets or have privileges beyond
those the users are trusted with.</p>
+<p>All interpreters should be assumed to be able to access the local
+shell and execute arbitrary commands with the privileges of the user
+running the Zeppelin server. As generic interpreters such as sh, Groovy,
+Java and Python make this especially trivial, we plan to disable the sh
+interpreter by default from version 0.11.1 onward.</p>
+
<h3>Zeppelin on Docker</h3>
<p>An exception to the above is when the Zeppelin interpreter
@@ -221,7 +227,7 @@ for each vulnerability you are reporting.</p>
<ul>
<li>The reporter reports the vulnerability privately to <a
href="mailto:[email protected]";>[email protected]</a>.</li>
<li>The Zeppelin project security team works privately with the reporter to
resolve the vulnerability.</li>
-<li>The Zeppelin project creates a new release of the package the vulnerabilty
affects to deliver its fix.</li>
+<li>The Zeppelin project creates a new release of the package the
vulnerability affects to deliver its fix.</li>
<li>The Zeppelin project publicly announces the vulnerability and describes
how to apply the fix.</li>
</ul>
