diff --git a/ChangeLog b/ChangeLog
-index 2e4afb7..64a2746 100644
+index 2e4afb7..29b7cf5 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,5 +1,163 @@
+@@ -1,5 +1,182 @@
++2016-04-20 Yvan Roux <yvan.roux@linaro.org>
++
++ * stdlib/setenv.c (unsetenv): Fix ambiguous 'else'.
++ * nis/nis_call.c (nis_server_cache_add): Likewise.
++
++2016-04-09 Mike Frysinger <vapier@gentoo.org>
++
++ * sysdeps/i386/configure.ac: Change == to = when calling test.
++ * sysdeps/x86_64/configure.ac: Likewise.
++ * sysdeps/i386/configure: Regenerated.
++ * sysdeps/x86_64/configure: Likewise.
++
++2016-04-01 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #19879]
++ CVE-2016-3075
++ * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
++ copy name.
++
+2016-04-01 Stefan Liebler <stli@linux.vnet.ibm.com>
+
+ * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef.
(VERSION): Set to 2.23.
* include/feature.h (__GLIBC_MINOR__): Set to 23.
diff --git a/NEWS b/NEWS
-index c0276cf..674d217 100644
+index c0276cf..a08f96b 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,23 @@ See the end for copying conditions.
+@@ -5,6 +5,29 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
\f
+
+Security related changes:
+
-+ [Add security related changes here]
++* The getnetbyname implementation in nss_dns had a potentially unbounded
++ alloca call (in the form of a call to strdupa), leading to a stack
++ overflow (stack exhaustion) and a crash if getnetbyname is invoked
++ on a very long name. (CVE-2016-3075)
+
+The following bugs are resolved with this release:
+
+ [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS
+ [19759] Don't inline mempcpy for x86
+ [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String
-+ [19791] Assertion failure in res_query.c with un-connectable name server addresses
++ [19791] Assertion failure in res_query.c with un-connectable name server
++ addresses
+ [19792] MIPS: backtrace yields infinite backtrace with makecontext
+ [19822] libm.so install clobbers old version
++ [19879] network: nss_dns: Stack overflow in getnetbyname implementation
++ (CVE-2016-3075)
+
+\f
Version 2.23
* Unicode 8.0.0 Support: Character encoding, character type info, and
-@@ -38,7 +55,7 @@ Version 2.23
+@@ -38,7 +61,7 @@ Version 2.23
unnecessary serialization of memory allocation requests across threads.
The defect is now corrected. Users should see a substantial increase in
the concurent throughput of allocation requests for applications which
{
printf ("FAIL: Failed to call is* functions.\n");
exit (1);
+diff --git a/nis/nis_call.c b/nis/nis_call.c
+index 3fa37e4..cb7839a 100644
+--- a/nis/nis_call.c
++++ b/nis/nis_call.c
+@@ -680,16 +680,18 @@ nis_server_cache_add (const_nis_name name, int search_parent,
+ /* Choose which entry should be evicted from the cache. */
+ loc = &nis_server_cache[0];
+ if (*loc != NULL)
+- for (i = 1; i < 16; ++i)
+- if (nis_server_cache[i] == NULL)
+- {
++ {
++ for (i = 1; i < 16; ++i)
++ if (nis_server_cache[i] == NULL)
++ {
++ loc = &nis_server_cache[i];
++ break;
++ }
++ else if ((*loc)->uses > nis_server_cache[i]->uses
++ || ((*loc)->uses == nis_server_cache[i]->uses
++ && (*loc)->expires > nis_server_cache[i]->expires))
+ loc = &nis_server_cache[i];
+- break;
+- }
+- else if ((*loc)->uses > nis_server_cache[i]->uses
+- || ((*loc)->uses == nis_server_cache[i]->uses
+- && (*loc)->expires > nis_server_cache[i]->expires))
+- loc = &nis_server_cache[i];
++ }
+ old = *loc;
+ *loc = new;
+
diff --git a/po/be.po b/po/be.po
index 66d1235..ffb39b4 100644
--- a/po/be.po
#~ msgid "compile-time support for database policy missing"
#~ msgstr "compile-time 支援用於資料庫策略缺少"
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 2eb2f67..8f301a7 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
+ } net_buffer;
+ querybuf *orig_net_buffer;
+ int anslen;
+- char *qbuf;
+ enum nss_status status;
+
+ if (__res_maybe_init (&_res, 0) == -1)
+ return NSS_STATUS_UNAVAIL;
+
+- qbuf = strdupa (name);
+-
+ net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+
+- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
++ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
+ 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
+ if (anslen < 0)
+ {
diff --git a/resolv/res_init.c b/resolv/res_init.c
index e0b6a80..6c951f5 100644
--- a/resolv/res_init.c
else {
/* poll should not have returned > 0 in this case. */
abort ();
+diff --git a/stdlib/setenv.c b/stdlib/setenv.c
+index da61ee0..e66045f 100644
+--- a/stdlib/setenv.c
++++ b/stdlib/setenv.c
+@@ -278,18 +278,20 @@ unsetenv (const char *name)
+ ep = __environ;
+ if (ep != NULL)
+ while (*ep != NULL)
+- if (!strncmp (*ep, name, len) && (*ep)[len] == '=')
+- {
+- /* Found it. Remove this pointer by moving later ones back. */
+- char **dp = ep;
+-
+- do
+- dp[0] = dp[1];
+- while (*dp++);
+- /* Continue the loop in case NAME appears again. */
+- }
+- else
+- ++ep;
++ {
++ if (!strncmp (*ep, name, len) && (*ep)[len] == '=')
++ {
++ /* Found it. Remove this pointer by moving later ones back. */
++ char **dp = ep;
++
++ do
++ dp[0] = dp[1];
++ while (*dp++);
++ /* Continue the loop in case NAME appears again. */
++ }
++ else
++ ++ep;
++ }
+
+ UNLOCK;
+
diff --git a/sysdeps/arm/nacl/libc.abilist b/sysdeps/arm/nacl/libc.abilist
index 561441e..0560510 100644
--- a/sysdeps/arm/nacl/libc.abilist
+GLIBC_2.23 fts64_open F
+GLIBC_2.23 fts64_read F
+GLIBC_2.23 fts64_set F
+diff --git a/sysdeps/i386/configure b/sysdeps/i386/configure
+index 9515719..5b55c5a 100644
+--- a/sysdeps/i386/configure
++++ b/sysdeps/i386/configure
+@@ -72,7 +72,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5
+ $as_echo "$libc_cv_asm_mpx" >&6; }
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+ $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h
+
+ fi
+diff --git a/sysdeps/i386/configure.ac b/sysdeps/i386/configure.ac
+index f8f9e44..19ef33f 100644
+--- a/sysdeps/i386/configure.ac
++++ b/sysdeps/i386/configure.ac
+@@ -41,7 +41,7 @@ else
+ libc_cv_asm_mpx=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+ AC_DEFINE(HAVE_MPX_SUPPORT)
+ fi
+
diff --git a/sysdeps/i386/i686/multiarch/bcopy.S b/sysdeps/i386/i686/multiarch/bcopy.S
index d5b408d..ce6661b 100644
--- a/sysdeps/i386/i686/multiarch/bcopy.S
/* Enable inline functions only for i486 or better when compiling for
ia32. */
#if !defined __x86_64__ && (defined __i486__ || defined __pentium__ \
+diff --git a/sysdeps/x86_64/configure b/sysdeps/x86_64/configure
+index c72b9d3..88fbfe4 100644
+--- a/sysdeps/x86_64/configure
++++ b/sysdeps/x86_64/configure
+@@ -24,7 +24,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_avx512" >&5
+ $as_echo "$libc_cv_asm_avx512" >&6; }
+-if test $libc_cv_asm_avx512 == yes; then
++if test $libc_cv_asm_avx512 = yes; then
+ $as_echo "#define HAVE_AVX512_ASM_SUPPORT 1" >>confdefs.h
+
+ fi
+@@ -77,7 +77,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5
+ $as_echo "$libc_cv_asm_mpx" >&6; }
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+ $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h
+
+ fi
+diff --git a/sysdeps/x86_64/configure.ac b/sysdeps/x86_64/configure.ac
+index 37b1059..b39309e 100644
+--- a/sysdeps/x86_64/configure.ac
++++ b/sysdeps/x86_64/configure.ac
+@@ -13,7 +13,7 @@ else
+ libc_cv_asm_avx512=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_avx512 == yes; then
++if test $libc_cv_asm_avx512 = yes; then
+ AC_DEFINE(HAVE_AVX512_ASM_SUPPORT)
+ fi
+
+@@ -37,7 +37,7 @@ else
+ libc_cv_asm_mpx=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+ AC_DEFINE(HAVE_MPX_SUPPORT)
+ fi
+
diff --git a/sysdeps/x86_64/dl-trampoline.S b/sysdeps/x86_64/dl-trampoline.S
index 9fb6b13..39b8771 100644
--- a/sysdeps/x86_64/dl-trampoline.S