~ chicken-core (chicken-5) f002246ce5f94d36d58e3b0b8e66b18e33b9e4d1

commit f002246ce5f94d36d58e3b0b8e66b18e33b9e4d1
Author:     Peter Bex <peter@more-magic.net>
AuthorDate: Fri Aug 19 20:39:33 2016 +0200
Commit:     Peter Bex <peter@more-magic.net>
CommitDate: Fri Aug 19 20:39:48 2016 +0200

    Add CVE-2016-683[01] for process-spawn/process-execute bugs to NEWS

diff --git a/NEWS b/NEWS
index 69c269ca..c0ecd9c5 100644
--- a/NEWS
+++ b/NEWS
@@ -56,10 +56,14 @@
 4.11.1
 
 - Security fixes
-  - Fix buffer overrun due to excessively long argument or
-    environment lists in process-execute and process-spawn (#1308).
+  - CVE-2016-6830: Fix buffer overrun due to excessively long argument
+    or environment lists in process-execute and process-spawn (#1308).
     This also removes unnecessary limitations on the length of
     these lists (thanks to Vasilij Schneidermann).
+  - CVE-2016-6831: Fix memory leak in process-execute and
+    process-spawn.  If, during argument and environment list
+    processing, a list item isn't a string, an exception is thrown,
+    in which case previously malloc()ed strings weren't freed.
 
 - Compiler:
   - define-constant now correctly keeps symbol values quoted.