Univention Corporate Server 3.2 erratum 451 (security)

This update addresses the following issues:
* USB: serial: visor: fix crash on detecting device without write_urbs
  (CVE-2015-7566)
* RDS: fix race condition when sending a message on unbound socket
  (CVE-2015-7990)
* fuse: break infinite loop in fuse_fill_write_pages()(CVE-2015-8785)
* iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
* ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384)
* unix: correctly track in-flight fds in sending process user_struct
  (CVE-2016-2550)
* USB: visor: fix null-deref at probe (CVE-2016-2782)
* net: fix a kernel infoleak in x25 module (CVE-2016-4580)
* net: fix infoleak in rtnetlink (CVE-2016-4486)
* net: fix infoleak in llc (CVE-2016-4485)
* atl2: Disable unimplemented scatter/gather feature (CVE-2016-2117)
* get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
* include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821)
* USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
* Input: gtco - fix crash on detecting device without endpoints
  (CVE-2016-2187)
* usbvision: fix crash on detecting device with invalid configuration
  (CVE-2015-7833)
* ppp: take reference on channels netns (CVE-2016-4805)
* usbnet: memory corruption triggered by invalid USB descriptor
  (CVE-2016-3951)
* Input: ati_remote2 - fix crashes on detecting device with invalid
  descriptor (CVE-2016-2185)
* Input: ims-pcu - sanity check against missing interfaces (CVE-2016-3689)
* Input: powermate - fix oops with malicious USB descriptors (CVE-2016-2186)
* USB: cypress_m8: add endpoint sanity check (CVE-2016-3137)
* USB: digi_acceleport: do sanity checking for the number of ports
  (CVE-2016-3140)
* USB: mct_u232: add sanity checking in probe (CVE-2016-3136)
* USB: iowarrior: fix oops with malicious USB descriptors (CVE-2016-2188)
* USB: cdc-acm: more sanity checking (CVE-2016-3138)
* Xen: I/O port access privilege escalation in x86-64 Linux (CVE-2016-3157)
* Race condition in the audit_log_single_execve_arg function in
  kernel/auditsc.c in the Linux kernel through 4.7 allows local users to
  bypass intended character-set restrictions or disrupt system-call auditing
  by changing a certain string, aka a "double fetch" vulnerability.
  (CVE-2016-6136)
* Race condition in the ioctl_send_fib function in
  drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows
  local users to cause a denial of service (out-of-bounds access or system
  crash) by changing a certain size value, aka a "double fetch"
  vulnerability.  (CVE-2016-6480)
* Linux tcp_xmit_retransmit_queue use after free (CVE-2016-6828)
* The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux
  kernel before 4.2 allows local users to obtain sensitive information or
  cause a denial of service (NULL pointer dereference) via vectors involving
  a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)
* privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195)
* The proc_keys_show function in security/keys/proc.c in the Linux kernel
  through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is
  enabled, uses an incorrect buffer size for certain timeout data, which
  allows local users to cause a denial of service (stack memory corruption
  and panic) by reading the /proc/keys file. (CVE-2016-7042)
* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in
  the Linux kernel through 4.8.2 does not restrict a certain length field,
  which allows local users to gain privileges or cause a denial of service
  (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control
  code. (CVE-2016-7425)