Guile 2.0.13 fixes a couple of security issues:
CVE-2016-8606 can be serious (remote code execution), but developers
using Guile can readily work around it; see the description at:
In particular, Geiser already uses Unix-domain sockets to talk to Guile,
which means we’re safe here.
CVE-2016-8605 is about the possibility of creating files with insecure
permissions in multithreaded programs. Apart from our own grafting code
(the infamous <http://bugs.gnu.org/22954>), this is probably a rare
So, what do we do?
Given that core-updates with Guile 2.0.12 is on its way and that master
is still at 2.0.11, I’d suggest to leave master as-is and focus on
There we have 2 options:
1. Changing ‘guile-2.0/fixed’ to 2.0.13, but 1,310 packages depend on it.
2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same ABI.
I have a preference for #2.