CVE-2013-20001

NameCVE-2013-20001
DescriptionAn issue was discovered in OpenZFS through 2.0.3. When an NFS share is exported to IPv6 addresses via the sharenfs feature, there is a silent failure to parse the IPv6 address data, and access is allowed to everyone. IPv6 restrictions from the configuration are not applied.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3766-1
Debian Bugs1059322

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zfs-linux (PTS)buster/contrib0.7.12-2+deb10u2vulnerable
buster/contrib (security)0.7.12-2+deb10u3fixed
bullseye/contrib2.0.3-9+deb11u1vulnerable
bookworm/contrib2.1.11-1vulnerable
trixie/contrib2.2.3-1fixed
sid/contrib2.2.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zfs-linuxsourceexperimental2.2.0-1~exp1
zfs-linuxsourcebuster0.7.12-2+deb10u3DLA-3766-1
zfs-linuxsource(unstable)2.2.2-11059322

Notes

[bookworm] - zfs-linux <no-dsa> (contrib not supported)
[bullseye] - zfs-linux <no-dsa> (contrib not supported)
https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1)
Search for package or bug name: Reporting problems