Univention Corporate Server 4.1 erratum 338 (security)

This update addresses the following issues:
* The VGA module in QEMU improperly performs bounds checking on banked
  access to video memory, which allows local guest OS administrators
  to execute arbitrary code on the host by changing access modes after
  setting the bank register, aka the "Dark Portal" issue (CVE-2016-3710)
* Integer overflow in the VGA module in QEMU allows local guest OS users
  to cause a denial of service (out-of-bounds read and QEMU process crash)
  by editing VGA registers in VBE mode (CVE-2016-3712)
* The net_checksum_calculate function in net/checksum.c in QEMU allows
  local guest OS users to cause a denial of service (out-of-bounds heap
  read and crash) via the payload length in a crafted packet (CVE-2016-2857)
* The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI
  Controller (FSC) support in QEMU does not properly check command buffer
  length, which allows local guest OS administrators to cause a denial
  of service (out-of-bounds write and QEMU process crash) or potentially
  execute arbitrary code on the QEMU host via unspecified vectors
  (CVE-2016-4439)
* scsi: esp: oob write access while reading ESP command (CVE-2016-6351)
* Integer overflow in vnc_client_read() and protocol_client_msg()
  (CVE-2015-5239)
* The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not
  initialize the imm32 variable, which allows local guest OS administrators
  to obtain sensitive information from host stack memory by accessing the
  Task Priority Register (TPR). (CVE-2016-4020)
* The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local
  guest OS administrators to cause a denial of service (memory consumption
  and QEMU process crash) by submitting requests without waiting for
  completion (CVE-2016-5403)
* 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116)
* Heap-based buffer overflow in the .receive callback of
  xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers
  to execute arbitrary code on the QEMU host via a large ethlite packet
  (CVE-2016-7161)
* vmware_vga: OOB stack memory access when processing svga command
  (CVE-2016-7170)
* The mcf_fec_do_tx function in hw/net/mcf_fec.c does not properly limit
  the buffer descriptor count when transmitting packets, which allows local
  guest OS administrators to cause a denial of service (infinite loop and
  QEMU process crash) via vectors involving a buffer descriptor with a
  length of 0 and crafted values in bd.flags (CVE-2016-7908)
* usb: xHCI: infinite loop vulnerability in xhci_ring_fetch (CVE-2016-8576)
* 9pfs: host memory leakage in v9fs_read (CVE-2016-8577)
* 9pfs: potential NULL dereference in 9pfs routines (CVE-2016-8578)
* char: divide by zero error in serial_update_parameters (CVE-2016-8669)
* net: pcnet: check rx/tx descriptor ring length (CVE-2016-7909)
* audio: intel-hda: check stream entry count during transfer (CVE-2016-8909)
* net: rtl8139: limit processing of ring descriptors (CVE-2016-8910)
* net: eepro100: fix memory leak in device uninit (CVE-2016-9101)
* 9pfs: fix information leak in xattr read (CVE-2016-9102)
* 9pfs: fix memory leak in v9fs_xattrcreate (CVE-2016-9103)
* 9pfs: fix integer overflow issue in xattr read/write (CVE-2016-9104)
* 9pfs: fix memory leak in v9fs_link (CVE-2016-9105)
* 9pfs: fix memory leak in v9fs_write (CVE-2016-9106)