librsync 2.0.1 is available at a new upstream URL:

https://github.com/librsync/librsync/releases

Patch attached.

This would also include the fix for CVE-2014-8242, which is about use of
a cryptographically broken hash function (truncated MD4), released in
librsync 1.0.0.

However, at least btar and rdiff-backup aren't compatible with this new
version of librsync (I'm still building deja-dup to test its
compatibility).

Additionally, I noticed that the built package doesn't keep any
references to bzip2 or zlib, which seems wrong to me.

Is anyone using one of the dependent packages interested in looking more
closely at this?