CVE-2017-16790 checks that submitted data are uploaded files.
CVE-2017-11365 fixes a regression which allows empty passwords to be always valid for any user.
CVE-2016-2403 fixes an unauthorized access on a misconfigured Ldap server when using an empty password
CVE-2016-4423 avoids storing large usernames in UsernamePasswordFormAuthenticationListener.
CVE-2016-1902 fixes the SecureRandom class when OpenSSL fails.
CVE-2015-8125 fixes a potential remote timing attack vulnerability in Security remember-me service.
CVE-2015-8124 fixes a session fixation in the "Remember Me" login feature.
CVE-2015-4050 fixes unauthorized access when using ESI.
CVE-2015-2308 is about possible code injections via the ESI framework.
CVE-2015-2309 fixes some unsafe methods in the Request class.