~ chicken-core (chicken-5) 724f6866bb809c140b4a0b39e51630baf1944c93

commit 724f6866bb809c140b4a0b39e51630baf1944c93
Author:     Peter Bex <peter@more-magic.net>
AuthorDate: Fri Aug 19 20:39:33 2016 +0200
Commit:     Peter Bex <peter@more-magic.net>
CommitDate: Fri Aug 19 20:39:33 2016 +0200

    Add CVE-2016-683[01] for process-spawn/process-execute bugs to NEWS

diff --git a/NEWS b/NEWS
index b1a110de..d64c8189 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,14 @@
 4.11.1
 
 - Security fixes
-  - Fix buffer overrun due to excessively long argument or
-    environment lists in process-execute and process-spawn (#1308).
+  - CVE-2016-6830: Fix buffer overrun due to excessively long argument
+    or environment lists in process-execute and process-spawn (#1308).
     This also removes unnecessary limitations on the length of
     these lists (thanks to Vasilij Schneidermann).
+  - CVE-2016-6831: Fix memory leak in process-execute and
+    process-spawn.  If, during argument and environment list
+    processing, a list item isn't a string, an exception is thrown,
+    in which case previously malloc()ed strings weren't freed.
 
 - Compiler:
   - define-constant now correctly keeps symbol values quoted.