This update for lilypond fixes the following issues:
- CVE-2018-10992: lilypond: Does not validate strings before launching
the program specified by the BROWSER environment variable, which
allows remote attackers to conduct argument-injection attacks
(bsc#1093056)
- packages do not build reproducibly from unsorted input (bsc#1041090)