This is an automated email from the ASF dual-hosted git repository.
jongyoul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin-site.git
The following commit(s) were added to refs/heads/master by this push:
new 77fc73335 add section about CVEs in security.md (#28)
77fc73335 is described below
commit 77fc73335edcdac32f775242a2b9de578259884e
Author: PJ Fanning <[email protected]>
AuthorDate: Sun Jul 27 13:50:31 2025 +0100
add section about CVEs in security.md (#28)
---
security.md | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security.md b/security.md
index ebba56684..dc52ad4fc 100644
--- a/security.md
+++ b/security.md
@@ -102,9 +102,15 @@ executables could potentially be altered for malicious
purposes.
To mitigate this risk, it's recommended to set the paths to trusted
locations for these executables, such as PYTHON and SPARK_HOME.
-# Reporting security issues
+# Known Security Issues
-If you have found a potential security issue in Zeppelin,
+It is always best to use the latest Apache Zeppelin
[release](https://zeppelin.apache.org/download.html).
+A good place to check for CVE announcments is the [Zeppelin users mailing
list](https://lists.apache.org/[email protected]).
+Many third party sites maintain lists of CVEs by product. One example is
[OpenCVE](https://app.opencve.io/cve/?vendor=apache&product=zeppelin).
+
+# Reporting Security Issues
+
+If you have found a potential security issue in Apache Zeppelin,
such as a way to bypass the Shiro authentication,
we encourage you to report this problem at
[[email protected]](mailto:[email protected]).
