Univention Corporate Server 3.2 erratum 401 (security)

This erratum updates the Linux kernel in UCS 3.2 to 3.10.96. Among
several further bugfixes, this resolves multiple security issues:
* Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel
  before 4.3.3 allows local users to bypass intended AF_UNIX socket
  permissions or cause a denial of service (panic) via crafted epoll_ctl
  calls (CVE-2013-7446)
* The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4
  does not properly handle rename actions inside a bind mount, which allows
  local users to bypass an intended container protection mechanism by
  renaming a directory, related to a "double-chroot attack" (CVE-2015-2925)
* Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2
  allows local users to cause a denial of service (list corruption and
  panic) via a rapid series of system calls related to sockets, as
  demonstrated by setsockopt calls (CVE-2015-3212)
* drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036)
* udf: Check length of extended attributes and allocation descriptors
  (CVE-2015-4167)
* The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the
  Linux kernel before 4.0.6 allows local users to cause a denial of service
  (system crash) by creating a packet filter and then loading crafted BPF
  instructions that trigger late convergence by the JIT compiler
  (CVE-2015-4700)
* The virtnet_probe function in drivers/net/virtio_net.c in the Linux
  kernel before 4.2 attempts to support a FRAGLIST feature without proper
  memory allocation, which allows guest OS users to cause a denial of
  service (buffer overflow and memory corruption) via a crafted sequence of
  fragmented packets (CVE-2015-5156)
* drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows
  physically proximate attackers to cause a denial of service (NULL pointer
  dereference and OOPS) or possibly have unspecified other impact via a
  crafted USB device (CVE-2015-5257)
* The sctp_init function in net/sctp/protocol.c in the Linux kernel before
  4.2.3 has an incorrect sequence of protocol-initialization steps, which
  allows local users to cause a denial of service (panic or memory
  corruption) by creating SCTP sockets before all of the steps have
  finished (CVE-2015-5283)
* The __rds_conn_create function in net/rds/connection.c in the Linux
  kernel through 4.2.3 allows local users to cause a denial of service
  (NULL pointer dereference and system crash) or possibly have unspecified
  other impact by using a socket that was not properly bound
  (CVE-2015-6937)
* Linux keyring subsystem race leads to null dereference (CVE-2015-7550)
* Race condition in the IPC object implementation in the Linux kernel
  through 4.2.3 allows local users to gain privileges by triggering an
  ipc_addid call that leads to uid and gid comparisons against
  uninitialized data, related to msg.c, shm.c, and util.c (CVE-2015-7613)
* The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel
  through 4.2.3 does not ensure that certain slot numbers are valid, which
  allows local users to cause a denial of service (NULL pointer dereference
  and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799)
* The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel
  through 4.2.6 allows local users to cause a denial of service (OOPS) via
  crafted keyctl commands (CVE-2015-7872)
* The networking implementation in the Linux kernel through 4.3.3, as used
  in Android and other products, does not validate protocol identifiers for
  certain protocol families, which allows local users to cause a denial of
  service (NULL function pointer dereference and system crash) or possibly
  gain privileges by leveraging CLONE_NEWUSER support to execute a crafted
  SOCK_RAW application (CVE-2015-8543)
* The (1) pptp_bind and (2) pptp_connect functions in
  drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an
  address length, which allows local users to obtain sensitive information
  from kernel memory and bypass the KASLR protection mechanism via a
  crafted application (CVE-2015-8569)
* sco_sock_bind issue (CVE-2015-8575)
* KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728)