CVE-2013-4851

Name	CVE-2013-4851
Description	The vfs_hang_addrlist function in sys/kern/vfs_export.c in the NFS server implementation in the kernel in FreeBSD 8.3 and 9.x through 9.1-RELEASE-p5 controls authorization for host/subnet export entries on the basis of group information sent by the client, which allows remote attackers to bypass file permissions on NFS filesystems via crafted requests.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2743-1
Debian Bugs	717958, 717959

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
kfreebsd-8	source	squeeze	(not affected)
kfreebsd-8	source	wheezy	8.3-6+deb7u1
kfreebsd-8	source	(unstable)	8.3-7		717959
kfreebsd-9	source	wheezy	9.0-10+deb70.3	DSA-2743-1
kfreebsd-9	source	(unstable)	9.1-4		717958

Notes

[squeeze] - kfreebsd-8 <not-affected> (FreeBSD NFS server implementation was not supported in squeeze)