Hello, This is to inform you that GNU cpio version 2.13 is available for download. This stable release fixes several potential vulnerabilities, namely: CVE-2015-1197, CVE-2016-2037, CVE-2019-14866.
Here are the compressed sources: https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz (1.9MB) https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.bz2 (1.3MB) Here are the GPG detached signatures[*]: https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz.sig https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.bz2.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the MD5 and SHA1 checksums: 389c5452d667c23b5eceb206f5000810 cpio-2.13.tar.gz f3438e672e3fa273a7dc26339dd1eed6 cpio-2.13.tar.bz2 9568076fd23fb9bc00d32ee458bb2231d5254e40 cpio-2.13.tar.gz 4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 cpio-2.13.tar.bz2 [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify cpio-2.13.tar.gz.sig If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver keys.gnupg.net --recv-keys 3602B07F55D0C732 and rerun the 'gpg --verify' command. Best regards, Sergey -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html.