Hi Ola & Thomas,
> I have been preparing fixes for CVE-2019-14866 for Debian oldstable
Thank you. The issue has been fixed in commit 7554e3e4 [1].
Regards,
Sergey
[1] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7