diff --git a/0022-curl-7.47.1-CVE-2016-8615.patch b/0022-curl-7.47.1-CVE-2016-8615.patch
new file mode 100644
index 0000000..5d5d4bc
--- /dev/null
+++ b/0022-curl-7.47.1-CVE-2016-8615.patch
@@ -0,0 +1,70 @@
+From 1ac97e5d7a54fd50543977a861fac2ab2ed84d43 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE-2016-8615
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+
+Upstream-commit: cff89bc088b7884098ea0c5378bbda3d49c437bc
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 7a60411..f5a8846 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -892,6 +892,35 @@ Curl_cookie_add(struct SessionHandle *data,
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++    char *b = fgets(buf, len, input);
++    if(b) {
++      size_t rlen = strlen(b);
++      if(rlen && (b[rlen-1] == '\n')) {
++        if(partial) {
++          partial = FALSE;
++          continue;
++        }
++        return b;
++      }
++      else
++        /* read a partial, discard the next piece that ends with newline */
++        partial = TRUE;
++    }
++    else
++      break;
++  }
++  return NULL;
++}
++
++
+ /*****************************************************************************
+  *
+  * Curl_cookie_init()
+@@ -948,7 +977,7 @@ struct CookieInfo *Curl_cookie_init(struct SessionHandle *data,
+     line = malloc(MAX_COOKIE_LINE);
+     if(!line)
+       goto fail;
+-    while(fgets(line, MAX_COOKIE_LINE, fp)) {
++    while(get_line(line, MAX_COOKIE_LINE, fp)) {
+       if(checkprefix("Set-Cookie:", line)) {
+         /* This is a cookie line, get it! */
+         lineptr=&line[11];
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index 6ec7bc7..5853baa 100644
--- a/curl.spec
+++ b/curl.spec
@@ -55,6 +55,9 @@ Patch20:  0020-curl-7.47.1-CVE-2016-8617.patch
 # compare user/passwd case-sensitively while reusing connections (CVE-2016-8616)
 Patch21:  0021-curl-7.47.1-CVE-2016-8616.patch
 
+# fix cookie injection for other servers (CVE-2016-8615)
+Patch22:  0022-curl-7.47.1-CVE-2016-8615.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -184,6 +187,7 @@ documentation of the library, too.
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -300,6 +304,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- fix cookie injection for other servers (CVE-2016-8615)
 - compare user/passwd case-sensitively while reusing connections (CVE-2016-8616)
 - base64: check for integer overflow on large input (CVE-2016-8617)
 - fix double-free in krb5 code (CVE-2016-8619)