Hi, neither buster nor buster (security) is affected by bug #1059163. Thanks to debian/patches/CVE-2015-1197.patch, Debian cpio 2.12 isn't vulnerable. Ingo