diff -Nru zfs-linux-0.8.3/debian/changelog zfs-linux-0.8.3/debian/changelog
--- zfs-linux-0.8.3/debian/changelog	2022-11-30 15:46:58.000000000 +0000
+++ zfs-linux-0.8.3/debian/changelog	2024-01-31 16:02:07.000000000 +0000
@@ -1,3 +1,25 @@
+zfs-linux (0.8.3-1ubuntu12.17) focal; urgency=medium
+
+  * Cherry-pick
+    https://github.com/robn/zfs/commit/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch
+    backport of "dnode_is_dirty: check dnode and its data for dirtiness"
+    by robn. LP: #2044657
+
+ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Wed, 31 Jan 2024 16:02:07 +0000
+
+zfs-linux (0.8.3-1ubuntu12.16) focal-security; urgency=medium
+
+  * SECURITY UPDATE: silent failure when parsing IPv6 restrictions
+    - debian/patches/CVE-2013-20001.patch: pass through ipv6 addresses in
+      bracket notation in lib/libshare/os/linux/nfs.c, man/man8/zfs.8,
+      tests/runfiles/linux.run,
+      tests/zfs-tests/tests/functional/cli_root/zfs_share/Makefile.am,
+      tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_007_neg.ksh,
+      tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_013_pos.ksh.
+    - CVE-2013-20001
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 02 Nov 2023 10:49:36 -0400
+
 zfs-linux (0.8.3-1ubuntu12.15) focal; urgency=medium
 
   * Fix zfs_arc_max getting ignored when value below allmem/32 (LP: #1964992)
diff -Nru zfs-linux-0.8.3/debian/patches/CVE-2013-20001.patch zfs-linux-0.8.3/debian/patches/CVE-2013-20001.patch
--- zfs-linux-0.8.3/debian/patches/CVE-2013-20001.patch	1970-01-01 00:00:00.000000000 +0000
+++ zfs-linux-0.8.3/debian/patches/CVE-2013-20001.patch	2024-01-31 15:57:44.000000000 +0000
@@ -0,0 +1,221 @@
+Backport of:
+
+From 6cb5e1e7591da20af3a15793e022345a73e40fb7 Mon Sep 17 00:00:00 2001
+From: felixdoerre <felixdoerre@users.noreply.github.com>
+Date: Wed, 20 Oct 2021 19:40:00 +0200
+Subject: [PATCH] libshare: nfs: pass through ipv6 addresses in bracket
+ notation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recognize when the host part of a sharenfs attribute is an ipv6
+Literal and pass that through without modification.
+
+Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
+Signed-off-by: Felix Dörre <felix@dogcraft.de>
+Closes: #11171
+Closes #11939
+Closes: #1894
+---
+ lib/libshare/os/linux/nfs.c                   | 47 +++++++++--
+ man/man8/zfs.8                                |  2 +-
+ tests/runfiles/linux.run                      |  2 +-
+ .../functional/cli_root/zfs_share/Makefile.am |  1 +
+ .../cli_root/zfs_share/zfs_share_007_neg.ksh  |  2 +-
+ .../cli_root/zfs_share/zfs_share_013_pos.ksh  | 80 +++++++++++++++++++
+ 6 files changed, 126 insertions(+), 8 deletions(-)
+ create mode 100755 tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_013_pos.ksh
+
+--- a/lib/libshare/nfs.c
++++ b/lib/libshare/nfs.c
+@@ -129,8 +129,9 @@ foreach_nfs_host_cb(const char *opt, con
+ {
+ 	int rc;
+ 	const char *access;
+-	char *host_dup, *host, *next;
++	char *host_dup, *host, *next, *v6Literal;
+ 	nfs_host_cookie_t *udata = (nfs_host_cookie_t *)pcookie;
++	int cidr_len;
+ 
+ #ifdef DEBUG
+ 	fprintf(stderr, "foreach_nfs_host_cb: key=%s, value=%s\n", opt, value);
+@@ -153,10 +154,46 @@ foreach_nfs_host_cb(const char *opt, con
+ 		host = host_dup;
+ 
+ 		do {
+-			next = strchr(host, ':');
+-			if (next != NULL) {
+-				*next = '\0';
+-				next++;
++			if (*host == '[') {
++				host++;
++				v6Literal = strchr(host, ']');
++				if (v6Literal == NULL) {
++					free(host_dup);
++					return (SA_SYNTAX_ERR);
++				}
++				if (v6Literal[1] == '\0') {
++					*v6Literal = '\0';
++					next = NULL;
++				} else if (v6Literal[1] == '/') {
++					next = strchr(v6Literal + 2, ':');
++					if (next == NULL) {
++						cidr_len =
++						    strlen(v6Literal + 1);
++						memmove(v6Literal,
++						    v6Literal + 1,
++						    cidr_len);
++						v6Literal[cidr_len] = '\0';
++					} else {
++						cidr_len = next - v6Literal - 1;
++						memmove(v6Literal,
++						    v6Literal + 1,
++						    cidr_len);
++						v6Literal[cidr_len] = '\0';
++						next++;
++					}
++				} else if (v6Literal[1] == ':') {
++					*v6Literal = '\0';
++					next = v6Literal + 2;
++				} else {
++					free(host_dup);
++					return (SA_SYNTAX_ERR);
++				}
++			} else {
++				next = strchr(host, ':');
++				if (next != NULL) {
++					*next = '\0';
++					next++;
++				}
+ 			}
+ 
+ 			rc = udata->callback(udata->sharepath, host,
+--- a/man/man8/zfs.8
++++ b/man/man8/zfs.8
+@@ -4912,7 +4912,7 @@ on the
+ .Em tank/home
+ file system.
+ .Bd -literal
+-# zfs set sharenfs='rw=@123.123.0.0/16,root=neo' tank/home
++# zfs set sharenfs='rw=@123.123.0.0/16:[::1],root=neo' tank/home
+ .Ed
+ .Pp
+ If you are using
+--- a/tests/runfiles/linux.run
++++ b/tests/runfiles/linux.run
+@@ -257,7 +257,7 @@ tags = ['functional', 'cli_root', 'zfs_s
+ tests = ['zfs_share_001_pos', 'zfs_share_002_pos', 'zfs_share_003_pos',
+     'zfs_share_004_pos', 'zfs_share_005_pos', 'zfs_share_006_pos',
+     'zfs_share_007_neg', 'zfs_share_008_neg', 'zfs_share_009_neg',
+-    'zfs_share_010_neg', 'zfs_share_011_pos']
++    'zfs_share_010_neg', 'zfs_share_011_pos', 'zfs_share_013_pos']
+ tags = ['functional', 'cli_root', 'zfs_share']
+ 
+ [tests/functional/cli_root/zfs_snapshot]
+--- a/tests/zfs-tests/tests/functional/cli_root/zfs_share/Makefile.am
++++ b/tests/zfs-tests/tests/functional/cli_root/zfs_share/Makefile.am
+@@ -12,7 +12,8 @@ dist_pkgdata_SCRIPTS = \
+ 	zfs_share_008_neg.ksh \
+ 	zfs_share_009_neg.ksh \
+ 	zfs_share_010_neg.ksh \
+-	zfs_share_011_pos.ksh
++	zfs_share_011_pos.ksh \
++	zfs_share_013_pos.ksh
+ 
+ dist_pkgdata_DATA = \
+ 	zfs_share.cfg
+--- a/tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_007_neg.ksh
++++ b/tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_007_neg.ksh
+@@ -51,7 +51,7 @@ function cleanup {
+ 
+ set -A badopts \
+     "r0" "r0=machine1" "r0=machine1:machine2" \
+-    "-g" "-b" "-c" "-d" "--invalid" \
++    "-g" "-b" "-c" "-d" "--invalid" "rw=[::1]a:[::2]" "rw=[::1" \
+     "$TESTPOOL" "$TESTPOOL/$TESTFS" "$TESTPOOL\$TESTCTR\$TESTFS1"
+ 
+ log_assert "Verify that invalid share parameters and options are caught."
+--- /dev/null
++++ b/tests/zfs-tests/tests/functional/cli_root/zfs_share/zfs_share_013_pos.ksh
+@@ -0,0 +1,80 @@
++#!/bin/ksh -p
++#
++# CDDL HEADER START
++#
++# The contents of this file are subject to the terms of the
++# Common Development and Distribution License (the "License").
++# You may not use this file except in compliance with the License.
++#
++# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++# or http://www.opensolaris.org/os/licensing.
++# See the License for the specific language governing permissions
++# and limitations under the License.
++#
++# When distributing Covered Code, include this CDDL HEADER in each
++# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++# If applicable, add the following below this CDDL HEADER, with the
++# fields enclosed by brackets "[]" replaced with your own identifying
++# information: Portions Copyright [yyyy] [name of copyright owner]
++#
++# CDDL HEADER END
++#
++
++#
++# Copyright (c) 2020, Felix Dörre
++#
++
++. $STF_SUITE/include/libtest.shlib
++
++#
++# DESCRIPTION:
++# Verify that NFS share options including ipv6 literals are parsed and propagated correctly.
++#
++
++verify_runnable "global"
++
++function cleanup
++{
++	log_must zfs set sharenfs=off $TESTPOOL/$TESTFS
++	is_shared $TESTPOOL/$TESTFS && \
++		log_must unshare_fs $TESTPOOL/$TESTFS
++}
++
++log_onexit cleanup
++
++cleanup
++
++log_must zfs set sharenfs="rw=[::1]" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "::1(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[2::3]" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "2::3(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[::1]:[2::3]" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "::1(" <<< "$output" > /dev/null
++log_must grep "2::3(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[::1]/64" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "::1/64(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[2::3]/128" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "2::3/128(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[::1]/32:[2::3]/128" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "::1/32(" <<< "$output" > /dev/null
++log_must grep "2::3/128(" <<< "$output" > /dev/null
++
++log_must zfs set sharenfs="rw=[::1]:[2::3]/64:[2a01:1234:1234:1234:aa34:234:1234:1234]:1.2.3.4/24" $TESTPOOL/$TESTFS
++output=$(showshares_nfs 2>&1)
++log_must grep "::1(" <<< "$output" > /dev/null
++log_must grep "2::3/64(" <<< "$output" > /dev/null
++log_must grep "2a01:1234:1234:1234:aa34:234:1234:1234(" <<< "$output" > /dev/null
++log_must grep "1\\.2\\.3\\.4/24(" <<< "$output" > /dev/null
++
++log_pass "NFS share ip address propagated correctly."
diff -Nru zfs-linux-0.8.3/debian/patches/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch zfs-linux-0.8.3/debian/patches/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch
--- zfs-linux-0.8.3/debian/patches/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch	1970-01-01 00:00:00.000000000 +0000
+++ zfs-linux-0.8.3/debian/patches/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch	2024-01-31 16:01:33.000000000 +0000
@@ -0,0 +1,70 @@
+From f2f7f43a9bf4628328292f25b1663b873f271b1a Mon Sep 17 00:00:00 2001
+From: Rob N <robn@despairlabs.com>
+Date: Wed, 29 Nov 2023 04:16:49 +1100
+Subject: [PATCH] dmu_offset_next: check dnode and its data for dirtiness
+Origin: https://github.com/robn/zfs/commit/f2f7f43a9bf4628328292f25b1663b873f271b1a.patch
+
+Over its history this the dirty dnode test has been changed between
+checking for a dnodes being on `os_dirty_dnodes` (`dn_dirty_link`) and
+`dn_dirty_record`.
+
+  de198f2d9 Fix lseek(SEEK_DATA/SEEK_HOLE) mmap consistency
+  2531ce372 Revert "Report holes when there are only metadata changes"
+  ec4f9b8f3 Report holes when there are only metadata changes
+  454365bba Fix dirty check in dmu_offset_next()
+  66aca2473 SEEK_HOLE should not block on txg_wait_synced()
+
+Also illumos/illumos-gate@c543ec060d illumos/illumos-gate@2bcf0248e9
+
+It turns out both are actually required.
+
+In the case of appending data to a newly created file, the dnode proper
+is dirtied (at least to change the blocksize) and dirty records are
+added.  Thus, a single logical operation is represented by separate
+dirty indicators, and must not be separated.
+
+The incorrect dirty check becomes a problem when the first block of a
+file is being appended to while another process is calling lseek to skip
+holes. There is a small window where the dnode part is undirtied while
+there are still dirty records. In this case, `lseek(fd, 0, SEEK_DATA)`
+would not know that the file is dirty, and would go to
+`dnode_next_offset()`. Since the object has no data blocks yet, it
+returns `ESRCH`, indicating no data found, which results in `ENXIO`
+being returned to `lseek()`'s caller.
+
+Since coreutils 9.2, `cp` performs sparse copies by default, that is, it
+uses `SEEK_DATA` and `SEEK_HOLE` against the source file and attempts to
+replicate the holes in the target. When it hits the bug, its initial
+search for data fails, and it goes on to call `fallocate()` to create a
+hole over the entire destination file.
+
+This has come up more recently as users upgrade their systems, getting
+OpenZFS 2.2 as well as a newer coreutils. However, this problem has been
+reproduced against 2.1, as well as on FreeBSD 13 and 14.
+
+This change simply updates the dirty check to check both types of dirty.
+If there's anything dirty at all, we immediately go to the "wait for
+sync" stage, It doesn't really matter after that; both changes are on
+disk, so the dirty fields should be correct.
+
+Sponsored-by: Klara, Inc.
+Sponsored-by: Wasabi Technology, Inc.
+Signed-off-by: Rob Norris <rob.norris@klarasystems.com>
+---
+ module/zfs/dmu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/module/zfs/dmu.c b/module/zfs/dmu.c
+index 2c1903d7f384..bdb5468ed3d3 100644
+--- a/module/zfs/dmu.c
++++ b/module/zfs/dmu.c
+@@ -2391,7 +2391,8 @@ dmu_offset_next(objset_t *os, uint64_t object, boolean_t hole, uint64_t *off)
+ 	 * Check if dnode is dirty
+ 	 */
+ 	for (i = 0; i < TXG_SIZE; i++) {
+-		if (multilist_link_active(&dn->dn_dirty_link[i])) {
++		if (multilist_link_active(&dn->dn_dirty_link[i]) ||
++		    !list_is_empty(&dn->dn_dirty_records[i])) {
+ 			clean = B_FALSE;
+ 			break;
+ 		}
diff -Nru zfs-linux-0.8.3/debian/patches/series zfs-linux-0.8.3/debian/patches/series
--- zfs-linux-0.8.3/debian/patches/series	2022-11-30 15:46:58.000000000 +0000
+++ zfs-linux-0.8.3/debian/patches/series	2024-01-31 16:01:20.000000000 +0000
@@ -32,3 +32,5 @@
 4920-Fix-zfs_get_data-access-to-files-with-wrong-generati.patch
 4930-Dont-ignore-zfs_arc_max-below-allmem-32.patch
 4931-Restore-processing-for-arc-min-and-arc-max.patch
+CVE-2013-20001.patch
+f2f7f43a9bf4628328292f25b1663b873f271b1a.patch