Univention Corporate Server 4.4 erratum 627 (security)

This update of the Linux kernel to version 4.9.210 addresses the following
issues:
* possible execution path in MMU code leads to local escalation of privilege
  (CVE-2019-2182)
* triggering AP to send IAPP location updates for stations before the
  required authentication process has completed can lead to DoS
  (CVE-2019-5108)
* out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c
  (CVE-2019-19319)
* NULL pointer dereference in relay_open in kernel/relay.c (CVE-2019-19462)
* use-after-free in __blk_add_trace in kernel/trace/blktrace.c
  (CVE-2019-19768)
* NULL pointer dereference in tw5864_handle_frame function in
  drivers/media/pci/tw5864/tw5864-video.c (CVE-2019-20806)
* An issue was discovered in the Linux kernel before 5.0.6. In
  rx_queue_add_kobject() and netdev_queue_add_kobject() in
  net/core/net-sysfs.c, a reference count is mishandled, aka
  CID-a3e23f719f5c. (CVE-2019-20811)
* Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543)
* kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1
  resources (CVE-2020-2732)
* use-after-free in fs/namei.c (CVE-2020-8428)
* out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c
  (CVE-2020-8647)
* use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c
  (CVE-2020-8648)
* invalid read location in vgacon_invert_region function in
  drivers/video/console/vgacon.c (CVE-2020-8649)
* out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)
* NetLabel: null pointer dereference while receiving CIPSO packet with null
  category may cause kernel panic (CVE-2020-10711)
* uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)
* SELinux netlink permission check bypass (CVE-2020-10751)
* kernel: DAX hugepages not considered during mremap (CVE-2020-10757)
* vhost-net: stack overflow in get_raw_socket while checking sk_family field
  (CVE-2020-10942)
* transmission of uninitialized data allows attackers to read sensitive
  information (CVE-2020-11494)
* out-of-bounds write in mpol_parse_str function in mm/mempolicy.c
  (CVE-2020-11565)
* NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs
  in drivers/media/usb/gspca/ov519.c (CVE-2020-11608)
* NULL pointer dereference due to incorrect handling of invalid descriptors
  in stv06xx subsystem (CVE-2020-11609)
* mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c
  (CVE-2020-11668)
* A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x
  before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before
  4.19.119, and 5.x before 5.3 allows local users to cause a denial of
  service (panic) by corrupting a mountpoint reference counter.
  (CVE-2020-12114)
* use-after-free in usb_sg_cancel function in drivers/usb/core/message.c
  (CVE-2020-12464)
* race condition in __mptctl_ioctl function in
  drivers/message/fusion/mptctl.c allows local users to hold an incorrect
  lock during the ioctl operation (CVE-2020-12652)
* buffer overflow in mwifiex_cmd_append_vsie_tlv function in
  drivers/net/wireless/marvell/mwifiex/scan.c (CVE-2020-12653)
* heap-based buffer overflow in mwifiex_ret_wmm_get_status function in
  drivers/net/wireless/marvell/mwifiex/wmm.c (CVE-2020-12654)
* sg_write function lacks an sg_remove_request call in a certain failure case
  (CVE-2020-12770)
* gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux
  kernel through 5.6.13 relies on kstrdup without considering the possibility
  of an internal '\0' value, which allows attackers to trigger an
  out-of-bounds read, aka CID-15753588bcd4. (CVE-2020-13143)