– fix cookie injection for other servers (CVE-2016-8615)
– compare user/passwd case-sensitively while reusing connections (CVE-2016-8616)
– base64: check for integer overflow on large input (CVE-2016-8617)
– fix double-free in krb5 code (CVE-2016-8619)
– fix double-free in curl_maprintf() (CVE-2016-8618)
– fix glob parser write/read out of bounds (CVE-2016-8620)
– fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
– fix URL unescape heap overflow via integer truncation (CVE-2016-8622)
– fix use-after-free via shared cookies (CVE-2016-8623)
– urlparse: accept ‘#’ as end of host name (CVE-2016-8624)