(zeppelin-site) branch master updated: Add comments about removal of sh interpreter

Sat, 17 Feb 2024 05:55:29 -0800 

This is an automated email from the ASF dual-hosted git repository.

jongyoul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin-site.git


The following commit(s) were added to refs/heads/master by this push:
     new da2424181 Add comments about removal of sh interpreter
da2424181 is described below

commit da2424181cb7e907eb2f34afd166db59fcf0f543
Author: Jongyoul Lee <jongy...@gmail.com>
AuthorDate: Sat Feb 17 22:54:12 2024 +0900

    Add comments about removal of sh interpreter
---
 security.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/security.md b/security.md
index aaea32b7b..b99cdf612 100644
--- a/security.md
+++ b/security.md
@@ -36,6 +36,12 @@ available to trusted users, and the server on which Zeppelin 
is
 installed does not contain any secrets or have privileges beyond
 those the users are trusted with.
 
+All interpreters should be assumed to be able to access the local 
+shell and execute arbitrary commands with the privileges of the user
+running the Zeppelin server. As generic interpreters such as sh, Groovy,
+Java and Python make this especially trivial, we plan to disable the sh
+interpreter by default from version 0.11.1 onward.
+
 ### Zeppelin on Docker
 
 An exception to the above is when the Zeppelin interpreter
@@ -91,7 +97,7 @@ An overview of the vulnerability handling process is:
 
 * The reporter reports the vulnerability privately to 
[secur...@zeppelin.apache.org](mailto:secur...@zeppelin.apache.org).
 * The Zeppelin project security team works privately with the reporter to 
resolve the vulnerability.
-* The Zeppelin project creates a new release of the package the vulnerabilty 
affects to deliver its fix.
+* The Zeppelin project creates a new release of the package the vulnerability 
affects to deliver its fix.
 * The Zeppelin project publicly announces the vulnerability and describes how 
to apply the fix.
 
 Committers should read a [more detailed description of the 
process](https://www.apache.org/security/committers.html). Reporters of 
security vulnerabilities may also find it useful.

Reply via email to