Univention Corporate Server 4.2 erratum 629 (extended maintenance)

This update of the Linux kernel to version 4.9.165 addresses the following
issues:
* Null pointer dereference in fs/f2fs/segment.c via mounting fs with
  noflush_merge option allows local denial of service (CVE-2017-18241)
* Race condition in fs/f2fs/node.c:add_free_nid() function allows local users
  to cause denial of service (CVE-2017-18249)
* cephx protocol is vulnerable to replay attack (CVE-2018-1128)
* cephx uses weak signatures (CVE-2018-1129)
* cpu: speculative store bypass (CVE-2018-3639)
* IP fragments with random offsets allow a remote denial of service
  (FragmentSmack) (CVE-2018-5391)
* buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may
  lead to memory corruption (CVE-2018-5848)
* irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554)
* irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555)
* Denial of service in resv_map_release function in mm/hugetlb.c
  (CVE-2018-7740)
* Information exposure in fd_locked_ioctl function in drivers/block/floppy.c
  (CVE-2018-7755)
* Buffer overflow in hidp_process_report (CVE-2018-9363)
* Use-after-free in drivers/android/binder.c (CVE-2018-9465)
* HID: debug: Buffer overflow in hid_debug_events_read() in
  drivers/hid/hid-debug.c (CVE-2018-9516)
* use-after-free detected in ext4_xattr_set_entry with a crafted file
  (CVE-2018-10879)
* stack-out-of-bounds write in ext4_update_inline_data function
  (CVE-2018-10880)
* stack-out-of-bounds write in jbd2_journal_dirty_metadata function
  (CVE-2018-10883)
* MIDI driver race condition leads to a double-free (CVE-2018-10902)
* infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS
  (CVE-2018-10938)
* Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of
  service or other unspecified impact (CVE-2018-11506)
* Integer overflow in kernel/time/posix-timers.c (CVE-2018-12896)
* Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)
* out-of-bounds memory access in fs/f2fs/super.c (CVE-2018-13096)
* divide-by-zero in fs/f2fs/super.c (CVE-2018-13097)
* out-of-bounds memory access in fs/f2fs/inline.c (CVE-2018-13099)
* divide-by-zero in fs/f2fs/super.c (CVE-2018-13100)
* Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root()
  when mounting crafted btrfs image (CVE-2018-14609)
* Out-of-bounds access in write_extent_buffer() when mounting and operating a
  crafted btrfs image (CVE-2018-14610)
* Use-after-free in try_merge_free_space() when mounting crafted btrfs image
  (CVE-2018-14611)
* Invalid pointer dereference in btrfs_root_node() when mounting a crafted
  btrfs image (CVE-2018-14612)
* Invalid pointer dereference in io_ctl_map_page() when mounting and
  operating a crafted btrfs image (CVE-2018-14613)
* Out-of-bounds access in fs/f2fs/segment.c:__remove_dirty_segment() when
  mounting a crafted f2fs image (CVE-2018-14614)
* NULL pointer dereference in fs/crypto/crypto.c:fscrypt_do_page_crypto()
  when operating on a corrupted f2fs image (CVE-2018-14616)
* NULL pointer dereference in fs/hfsplus/dir.c:hfsplus_lookup() when
  operating on a file in a crafted hfs+ image (CVE-2018-14617)
* use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)
* stack-based buffer overflow in chap_server_compute_md5() in iscsi target
  (CVE-2018-14633)
* a bug in ip_frag_reasm() can cause a crash in ip_do_fragment()
  (CVE-2018-14641)
* Uninitialized state in x86 PV failsafe callback path (XSA-274,
  CVE-2018-14678)
* net: xen: Linux netback driver OOB access in hash handling (XSA-270,
  CVE-2018-15471)
* hw: cpu: userspace-userspace spectreRSB attack (CVE-2018-15572)
* Mishandling of indirect calls weakens Spectre mitigation for paravirtual
  guests (CVE-2018-15594)
* incorrect bounds checking in yurex_read in drivers/usb/misc/yurex.c
  (CVE-2018-16276)
* Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)
* cleancache: Infoleak of deleted files after reuse of old inodes
  (CVE-2018-16862)
* nfs: use-after-free in svc_process_common() (CVE-2018-16884)
* Use-after-free in the vmacache_flush_all function resulting in a possible
  privilege escalation (CVE-2018-17182)
* Unprivileged users able to inspect kernel stacks of arbitrary tasks
  (CVE-2018-17972)
* Privilege escalation on arm64 via KVM hypervisor (CVE-2018-18021)
* TLB flush happens too late on mremap (CVE-2018-18281)
* filesystem corruption due to an unchecked error condition during an xfs
  attribute change (CVE-2018-18690)
* Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c
  (CVE-2018-18710)
* kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c
  (CVE-2018-19407)
* Use-after-free in sound/usb/card.c:usb_audio_probe() (CVE-2018-19824)
* oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985)
* Mishandled size checks during the reading of an extra descriptor
  (CVE-2018-20169)
* Memory address exposure in drivers/net/appletalk/ipddp.c:ipddp_ioctl() by
  users with CAP_NET_ADMIN (CVE-2018-20511)
* Improper validation in bnx2x network card driver can allow for denial of
  service attacks via crafted packet (CVE-2018-1000026)
* Missing check in net/can/gw.c:can_can_gw_rcv() allows for crash by users
  with CAP_NET_ADMIN (CVE-2019-3701)
* infinite loop in drivers/hid/hid-debug.c:hid_debug_events_read()
  (CVE-2019-3819)
* fork: record start_time late (CVE-2019-6133)
* KVM: potential use-after-free via kvm_ioctl_create_device() (CVE-2019-6974)
* KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption
  timer (CVE-2019-7221)
* KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)
* Memory leak in the kernel_read_file function in fs/exec.c allows to cause a
  denial of service (CVE-2019-8980)
* Lack of check for mmap minimum address in expand_downwards in mm/mmap.c
  leads to NULL pointer dereferences exploit on non-SMAP platforms
  (CVE-2019-9213)