OESA-2025-1039

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1039

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2025-1039

Upstream

CVE-2024-23945

Published

2025-01-10T13:03:28Z

Modified

2025-08-12T05:42:11.347602Z

Summary

spark security update

Details

Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine.

Security Fix(es):

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver2.11 * org.apache.spark:spark-hive-thriftserver2.12(CVE-2024-23945)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:20.03-LTS-SP4

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0-3.oe2003sp4

Ecosystem specific

{
    "src": [
        "spark-3.2.0-3.oe2003sp4.src.rpm"
    ],
    "x86_64": [
        "spark-3.2.0-3.oe2003sp4.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.2.0-3.oe2003sp4.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"

openEuler:22.03-LTS-SP1

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2-2.oe2203sp1

Ecosystem specific

{
    "src": [
        "spark-3.2.2-2.oe2203sp1.src.rpm"
    ],
    "x86_64": [
        "spark-3.2.2-2.oe2203sp1.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.2.2-2.oe2203sp1.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"

openEuler:22.03-LTS-SP3

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2-2.oe2203sp3

Ecosystem specific

{
    "src": [
        "spark-3.2.2-2.oe2203sp3.src.rpm"
    ],
    "x86_64": [
        "spark-3.2.2-2.oe2203sp3.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.2.2-2.oe2203sp3.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"

openEuler:22.03-LTS-SP4

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2-3.oe2203sp4

Ecosystem specific

{
    "src": [
        "spark-3.2.2-3.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "spark-3.2.2-3.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.2.2-3.oe2203sp4.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"

openEuler:24.03-LTS

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.0-5.oe2403sp1

Ecosystem specific

{
    "src": [
        "spark-3.5.0-4.oe2403.src.rpm",
        "spark-3.5.0-5.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "spark-3.5.0-4.oe2403.x86_64.rpm",
        "spark-3.5.0-5.oe2403sp1.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.5.0-4.oe2403.aarch64.rpm",
        "spark-3.5.0-5.oe2403sp1.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"

openEuler:24.03-LTS-SP1

spark

Package

Name: spark
Purl: pkg:rpm/openEuler/spark&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.0-5.oe2403sp1

Ecosystem specific

{
    "src": [
        "spark-3.5.0-5.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "spark-3.5.0-5.oe2403sp1.x86_64.rpm"
    ],
    "aarch64": [
        "spark-3.5.0-5.oe2403sp1.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2025-1039.json"