- Fix invalid-free when using getaddrinfo() and AI_IDN (CVE-2013-7424,

- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).

- Remove gconv transliteration loadable modules support (CVE-2014-5119,
  - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,

- Fix integer overflows in *valloc and memalign. (#1011804).

- Add missing patch to avoid use after free (#816647).

- Fix out of bounds array access in strto* exposed by 847929 patch.

- Fix iconv() segfault if the invalid multibyte character 0xffff is input when converting from IBM930 (#837896)

- Add dist tag
- Filter out <built-in> when building file lists (#784646).
- Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794813)

- Use correct type when casting d_tag (#767687)
- Report write error  in addmnt even for cached streams (#767687)
- ldd: Never run file directly (#767687).
- Workaround misconfigured system (#767687)

- Don't underestimate length of DST substitution (#694655)

- Avoid too much stack use in fnmatch (#681054, CVE-2011-1071)
- Properly quote output of locale (#625893, CVE-2011-1095)
- Don't leave empty element in rpath when skipping the first element,
  ignore rpath elements containing non-isolated use of $ORIGIN when
  privileged (#667974, CVE-2011-0536)
- Fix handling of newline in addmntent (#559579, CVE-2010-0296)

- Require suid bit on audit objects in privileged programs (#645677,
  CVE-2010-3856)

- Never expand $ORIGIN in privileged programs (#643818, CVE-2010-3847)