librsvg-2.50.4

[Douglas R. Reno]

New point version

News
====

Update dependent crates that had security vulnerabilities:

  futures-util to 0.3.14  - RUSTSEC-2020-0059
  futures-task to 0.3.14  - RUSTSEC-2020-0060
  generic-array to 0.13.3 - RUSTSEC-2020-0146  
  smallvec to 1.6.1       - RUSTSEC-2021-0030

There are no changes to the library code.

[Douglas R. Reno]

Actually, this should be 2.50.4

[Douglas R. Reno]

The release notes in the ticket description are incorrect. The correct ones:

News
====

Update dependent crates that had security vulnerabilities:

  generic-array to 0.13.3 - RUSTSEC-2020-0146

- #686 - Reduced stack usage (Sebastian Dröge).

- #698 - Add limit for too-large radiuses on the feMorphology filter (Madds H).

- #703 - Properly ignore elements in an error state inside the "switch" element.

RUSTSEC-2020-0146: ​https://github.com/fizyk20/generic-array/issues/98

Rust seems to keep their security advisories here: ​https://rustsec.org/advisories/

In our case, we're looking for RUSTSEC-2020-0146, which can be found here: ​https://rustsec.org/advisories/RUSTSEC-2020-0146.html

RUSTSEC-2020-0146: generic-array: arr! macro erases lifetimes
April 9, 2020
Description

Affected versions of this crate allowed unsoundly extending lifetimes using arr! macro. This may result in a variety of memory corruption scenarios, most likely use-after-free.

Since this is the first "security vulnerability in a rust crate" that we've encountered, I've sent an email to all editors on how to find the information necessary to assign a severity. In this case, I'll put Moderate in the advisory.

[Douglas R. Reno]

Fixed at bbba22e568

[Bruce Dubbs]

Milestone renamed