---
- branch: MAIN
  date: Tue Mar  3 13:04:35 UTC 2020
  files:
  - new: '1.3'
    old: '1.2'
    path: pkgsrc/graphics/librsvg-c/Makefile
    pathrev: pkgsrc/graphics/librsvg-c/Makefile@1.3
    type: modified
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/graphics/librsvg-c/PLIST
    pathrev: pkgsrc/graphics/librsvg-c/PLIST@1.2
    type: modified
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/graphics/librsvg-c/distinfo
    pathrev: pkgsrc/graphics/librsvg-c/distinfo@1.2
    type: modified
  - new: '0'
    old: '1.1'
    path: pkgsrc/graphics/librsvg-c/patches/patch-test-driver
    pathrev: pkgsrc/graphics/librsvg-c/patches/patch-test-driver@0
    type: deleted
  id: 20200303T130435Z.57cfdc4bedd6b46b058243b25d1df1ed24041227
  log: |
    librsvg-c: Update to 2.40.21

    pkgsrc changes:
     - Remove patches/patch-test-driver: applied upstream

    Changes:
    2.40.21
    -------
     - CVE-2019-20446 - Backport the following fixes from 2.46.x:
     - #515 - Librsvg now has limits on the number of loaded XML elements,
       and the number of referenced elements within an SVG document.  This
       is to mitigate malicious SVGs which try to consume all memory, and
       those which try to consume an exponential amount of CPU time.
     - #308 - Fix stack exhaustion with circular references in <use> elements.
     - #323 - Fix a denial-of-service condition from exponential explosion
       of rendered elements, through nested use of SVG "use" elements in
       malicious SVGs.  This is similar to the XML "billion laughs attack"
       but for SVG instancing.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/graphics/librsvg-c'
  unixtime: '1583240675'
  user: leot