CVE-2020-1926: Timing attack in Cookie signature verification

[Chao Sun <sunchao () apache org>]

Description:

Apache Hive cookie signature verification used a non constant time
comparison which is known to be vulnerable to timing attacks. This could
allow recovery of another users cookie signature. The issue was addressed
in Apache Hive 2.3.8

This issue is being tracked as HIVE-22708

Credit:

Apache Hive would like to thank S. Wasin for reporting this issue.

References:

https://issues.apache.org/jira/browse/HIVE-22708