Closed raboof closed 1 month ago
Similar to the other PR I'm not sure I follow on package choice. Looking at the linked PR it seems like something in their build system is being changed.
https://github.com/apache/zeppelin/pull/4708/files
Could you explain how that change implicated the org.apache.zeppelin:zeppelin-shell
artifact?
Similar to the other PR I'm not sure I follow on package choice. Looking at the linked PR it seems like something in their build system is being changed. https://github.com/apache/zeppelin/pull/4708/files Could you explain how that change implicated the
org.apache.zeppelin:zeppelin-shell
artifact?
Indeed the zeppelin-shell component itself was not changed, but it was disabled by default. Like with https://github.com/github/advisory-database/pull/4463, marking 'zeppelin as a whole' as affected would perhaps have been preferable, but failing a way to refer to that, 'any installation containing zeppelin-shell' seems like a reasonable proxy.
What does it mean that the shell component was disabled by default though? Forgive my ignorance with the project but would my thinking is that if I add org.apache.zeppelin:zeppelin-shell
to my pom I still need to import and to use the code from the artifact in my particular project. That is to say opt-in behavior. Am I missing something there?
What does it mean that the shell component was disabled by default though? Forgive my ignorance with the project but would my thinking is that if I add
org.apache.zeppelin:zeppelin-shell
to my pom I still need to import and to use the code from the artifact in my particular project. That is to say opt-in behavior. Am I missing something there?
zeppelin-shell
is an 'Interpreter' component for Zeppelin: you would typically not use it in your own project/pom, only with Zeppelin. Zeppelin detects available interpreters by scanning the 'interpreter' directory of the installation. 'disabled by default' here means zeppelin-shell no longer placed in the 'interpreter' directory during the default installation, so operators that want to use it (and have considered the risk of doing so) need to place it there explicitly.
Gotcha. Thanks for the clarification 👍
Hi @raboof! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
…in-shell 0.10.1 < 0.11.1
This information was in the CVE metadata at https://www.cve.org/CVERecord?id=CVE-2024-31861