diff --git a/backport-CVE-2024-23945.patch b/backport-CVE-2024-23945.patch new file mode 100644 index 0000000000000000000000000000000000000000..51652f8a8dffdb7cfcda35dfb05acab86aa48cc7 --- /dev/null +++ b/backport-CVE-2024-23945.patch @@ -0,0 +1,51 @@ +From cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Mon Sep 17 00:00:00 2001 +From: Sean Owen +Date: Tue, 17 Oct 2023 16:10:56 -0700 +Subject: [PATCH] [MINOR][SQL] Remove signature from Hive thriftserver + exception + +### What changes were proposed in this pull request? + +Don't return expected signature to caller in Hive thriftserver exception + +### Why are the changes needed? + +Please see private discussion + +### Does this PR introduce _any_ user-facing change? + +No + +### How was this patch tested? + +Existing tests + +### Was this patch authored or co-authored using generative AI tooling? + +No + +Closes #43402 from srowen/HiveCookieSigner. + +Authored-by: Sean Owen +Signed-off-by: Dongjoon Hyun +--- + .../src/main/java/org/apache/hive/service/CookieSigner.java | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java +index 782e47a6..4b8d2cb1 100644 +--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java ++++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java +@@ -81,8 +81,7 @@ public class CookieSigner { + LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature); + } + if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) { +- throw new IllegalArgumentException("Invalid sign, original = " + originalSignature + +- " current = " + currentSignature); ++ throw new IllegalArgumentException("Invalid sign"); + } + return rawValue; + } +-- +2.43.0 + diff --git a/spark.spec b/spark.spec index 08d9f0bdefc04b854681099223fd66ca06831395..219d5147f95737ad8fd36fedb2b661c672b84b8f 100644 --- a/spark.spec +++ b/spark.spec @@ -4,7 +4,7 @@ Summary: A unified analytics engine for large-scale data processing. Name: spark Version: 3.5.0 -Release: 4 +Release: 5 License: Apache 2.0 URL: http://spark.apache.org/ Source0: https://github.com/apache/spark/archive/v%{version}.tar.gz @@ -16,6 +16,7 @@ Source5: https://github.com/google/protobuf/releases/download/v21.7/protobuf-all Source6: https://github.com/grpc/grpc-java/archive/refs/tags/v1.56.0.tar.gz Patch0001: 0001-change-mvn-scalafmt.patch Patch0002: 0002-Upgrade-os-maven-plugin-to-1.7.1.patch +Patch0003: backport-CVE-2024-23945.patch %ifarch riscv64 BuildRequires: protobuf-devel protobuf-compiler @@ -76,6 +77,7 @@ popd %patch0001 -p1 %patch0002 -p1 +%patch0003 -p1 %ifarch riscv64 sed -i -e 's/protoVersion = "3.23.4/protoVersion = "'${PROTOC_VERSION}/'' project/SparkBuild.scala @@ -97,6 +99,12 @@ cp -rf ../%{name}-%{version} %{buildroot}/opt/apache-%{name}-%{version} %changelog +* Thu Dec 26 2024 changtao - 3.5.0-5 +- Type: CVE +- CVE: CVE-2024-23945 +- SUG: NA +- DESC: fix CVE-2024-23945 + * Mon Jul 1 2024 Dingli Zhang - 3.5.0-4 - Add riscv64 to ExclusiveArch - Fix build on riscv64