Univention Corporate Server 4.0 erratum 390 (security)

The Linux kernel in Univention Corporate Server 4.0 has been updated to
3.16.7-ckt20. It provides many bugfixes and fixes several vulnerabilities:
* unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
* Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel
  before 4.3.3 allows local users to bypass intended AF_UNIX socket
  permissions or cause a denial of service (panic) via crafted epoll_ctl
  calls (CVE-2013-7446)
* Don't allow setting MTU to invalid values (CVE-2015-0272)
* Denial of service due to a flaw in the add_key function of the Linux
  kernel's keyring subsystem causing memory exhaustion, exploitable by a
  local user (CVE-2015-1333)
* Race condition in file handle support (CVE-2015-1420)
* The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4
  does not properly handle rename actions inside a bind mount, which allows
  local users to bypass an intended container protection mechanism by
  renaming a directory, related to a "double-chroot attack" (CVE-2015-2925)
* Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2
  allows local users to cause a denial of service (list corruption and
  panic) via a rapid series of system calls related to sockets, as
  demonstrated by setsockopt calls (CVE-2015-3212)
* Privilege escalation by local unprivileged user due to improper handling
  of nested NMIs (CVE-2015-3290)
* Denial of service due to skipped NMIs triggered by a malicious userspace
  program (CVE-2015-3291)
* udf: Check length of extended attributes and allocation descriptors
  (CVE-2015-4167)
* The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux
  kernel through 4.1.3 allows local users to cause a denial of service
  (NULL pointer dereference and system crash) or possibly have unspecified
  other impact by leveraging /dev/kvm access for an ioctl call
  (CVE-2015-4692)
* The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the
  Linux kernel before 4.0.6 allows local users to cause a denial of service
  (system crash) by creating a packet filter and then loading crafted BPF
  instructions that trigger late convergence by the JIT compiler
  (CVE-2015-4700)
* The virtnet_probe function in drivers/net/virtio_net.c in the Linux
  kernel before 4.2 attempts to support a FRAGLIST feature without proper
  memory allocation, which allows guest OS users to cause a denial of
  service (buffer overflow and memory corruption) via a crafted sequence of
  fragmented packets (CVE-2015-5156)
* Denial of service and possible privilege escalation by local unprivileged
  user due to incorrect handling of a NMI that interrupts userspace and
  encounters an IRET (CVE-2015-5157)
* drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows
  physically proximate attackers to cause a denial of service (NULL pointer
  dereference and OOPS) or possibly have unspecified other impact via a
  crafted USB device (CVE-2015-5257)
* The sctp_init function in net/sctp/protocol.c in the Linux kernel before
  4.2.3 has an incorrect sequence of protocol-initialization steps, which
  allows local users to cause a denial of service (panic or memory
  corruption) by creating SCTP sockets before all of the steps have
  finished (CVE-2015-5283)
* The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
  through 4.6.x, allows guest OS users to cause a denial of service (host
  OS panic or hang) by triggering many #AC (aka Alignment Check)
  exceptions, related to svm.c and vmx.c (CVE-2015-5307)
* The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel
  before 4.0.6 do not properly consider yielding a processor, which allows
  remote attackers to cause a denial of service (system hang) via incorrect
  checksums within a UDP packet flood (CVE-2015-5364)
* The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel
  before 4.0.6 provide inappropriate -EAGAIN return values, which allows
  remote attackers to cause a denial of service (EPOLLET epoll application
  read outage) via an incorrect checksum in a UDP packet (CVE-2015-5366)
* Information leak in the md driver (CVE-2015-5697)
* Potential privilege escalation due to a use-after-free vulnerability in
  path lookup, user triggerable (CVE-2015-5706)
* Potential privilege escalation due to an integer overflow in the SCSI
  generic driver, exploitable by a local user with write permission on a
  SCSI generic device (CVE-2015-5707)
* The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel
  before 4.1.5 allows local users to cause a denial of service (memory
  consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent
  file-descriptor allocation (CVE-2015-6252)
* The __rds_conn_create function in net/rds/connection.c in the Linux
  kernel through 4.2.3 allows local users to cause a denial of service
  (NULL pointer dereference and system crash) or possibly have unspecified
  other impact by using a socket that was not properly bound
  (CVE-2015-6937)
* Reload pit counters for all channels when restoring state (CVE-2015-7513)
* Linux keyring subsystem race leads to null dereference (CVE-2015-7550)
* Crash on invalid USB device descriptors in visor driver (CVE-2015-7566)
* Race condition in the IPC object implementation in the Linux kernel
  through 4.2.3 allows local users to gain privileges by triggering an
  ipc_addid call that leads to uid and gid comparisons against
  uninitialized data, related to msg.c, shm.c, and util.c (CVE-2015-7613)
* The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel
  through 4.2.3 does not ensure that certain slot numbers are valid, which
  allows local users to cause a denial of service (NULL pointer dereference
  and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799)
* The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7
  through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows
  physically proximate attackers to cause a denial of service (panic) via a
  nonzero bInterfaceNumber value in a USB device descriptor (CVE-2015-7833)
* The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel
  through 4.2.6 allows local users to cause a denial of service (OOPS) via
  crafted keyctl commands (CVE-2015-7872)
* Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the
  Linux kernel before 4.3.3 allows local users to cause a denial of service
  (NULL pointer dereference and system crash) or possibly have unspecified
  other impact by using a socket that was not properly bound
  (CVE-2015-7990)
* The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
  through 4.6.x, allows guest OS users to cause a denial of service (host
  OS panic or hang) by triggering many #DB (aka Debug) exceptions, related
  to svm.c (CVE-2015-8104)
* fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed
  inline extents, which allows local users to obtain sensitive
  pre-truncation information from a file via a clone action (CVE-2015-8374)
* The networking implementation in the Linux kernel through 4.3.3, as used
  in Android and other products, does not validate protocol identifiers for
  certain protocol families, which allows local users to cause a denial of
  service (NULL function pointer dereference and system crash) or possibly
  gain privileges by leveraging CLONE_NEWUSER support to execute a crafted
  SOCK_RAW application (CVE-2015-8543)
* paravirtualized drivers incautious about shared memory contents
  (CVE-2015-8550)
* Linux pciback missing sanity checks leading to crash
  (CVE-2015-8551,CVE-2015-8552)
* The (1) pptp_bind and (2) pptp_connect functions in
  drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an
  address length, which allows local users to obtain sensitive information
  from kernel memory and bypass the KASLR protection mechanism via a
  crafted application (CVE-2015-8569)
* sco_sock_bind issue (CVE-2015-8575)
* privilege escalation in user namespaces (CVE-2015-8709)
* SCTP denial of service during heartbeat timeout functions (CVE-2015-8767)
* use-after-free in TIOCGETD ioctl (CVE-2016-0723)
* KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728)