Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, This update fixes CVE-2019-20446, which the Security Team marked as no-dsa. I considered updating to 2.44.16, which has a sensible set of changes to the librsvg code. Unfortunately the newer tarball also updates all of the vendored rust modules (which we do use, see #907629) and although I have been using that newer version in buster for over a week, I don't really feel confortable with that change (and I don't think you'd have approved it either). So I have gone with the minimal backport to 2.44.10 instead (which I've also tested) and it's already uploaded. debdiff attached. Let me know if there are any problems. Thanks, Emilio
