Patched()Fix Protobuf Java vulnerable to Uncontrolled Resource Consumption

[imhunterand]

Changes:

Affected of this apache-spark are vulnerable to Denial of Service (DoS) when providing inputs containing multiple instances of non-repeated embedded messages, with repeated or unknown fields. The vulnerability exists due to a parsing issue in the Message-Type Extensions. Exploiting this vulnerability causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

          input.readGroup(field.getNumber(), builder.getFieldBuilder(field), extensionRegistry);
          return;
      if (defaultInstance != null) {
        subBuilder = defaultInstance.newBuilderForType();
      } else {
        subBuilder = builder.newBuilderForField(field);
    const char* name = upb_EnumValueDef_Name(ev);
      String name = value.getName();
      if (Character.isUpperCase(name.codePointAt(0))) {

Operational Impact

CWE-400
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[AmplabJenkins]

Can one of the admins verify this patch?

[imhunterand]

Hi! @everyone @apache any update is last week's ago for waited fixed. could you merged this pull-request as fixed/patched.

Kind regards,

[srowen]

Hold up a sec. First please read https://spark.apache.org/contributing.html
Where does this actually affect Spark?
You have only updated a protobuf depenency in the Kinesis integration

[github-actions]

We're closing this PR because it hasn't been updated in a while. This isn't a judgement on the merit of the PR in any way. It's just a way of keeping the PR queue manageable.
If you'd like to revive this PR, please reopen it and ask a committer to remove the Stale tag!