File: NEWS

package info (click to toggle)
inn2 2.6.3-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 13,228 kB
  • sloc: ansic: 96,526; sh: 15,562; perl: 13,281; makefile: 3,700; yacc: 842; python: 309; lex: 262
file content (2323 lines) | stat: -rw-r--r-- 117,489 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
Changes in 2.6.3

    * Fixed the selection of the elliptic curve to use with OpenSSL 1.1.0 or
      later; NIST P-256 was enforced instead of using the most secure curve.

    * A new inn.conf parameter has been added to fine-tune the cipher suites
      to use with TLS 1.3:  the *tlsciphers13* now permits configuring them.
      A separate cipher suite configuration parameter is needed for TLS 1.3
      because TLS 1.3 cipher suites are not compatible with TLS 1.2, and
      vice-versa.  In order to avoid issues where legacy TLS 1.2 cipher
      suite configuration configured in the *tlsciphers* parameter would
      inadvertently disable all TLS 1.3 cipher suites, the inn.conf
      configuration has been separated out.

    * Fixed a regression since INN 2.6.1 that prevented articles with
      internationalized header fields (that is to say encoded in UTF-8) from
      being posted.

    * Support for Python 3 has been added to INN.  Embedded Python filtering
      and authentication hooks for innd and nnrpd can now use version 3.3.0
      or later of the Python interpreter.  In the 2.x series, version 2.3.0
      or later is still supported.

      When configuring INN with the --with-python flag, the "PYTHON"
      environment variable, when set, is used to select the interpreter to
      embed.  Otherwise, it is searched in standard paths.

      In case you change the Python interpreter to embed, make sure that the
      Python scripts you use are written in the expected syntax for that
      version of the Python interpreter.  Notably, buffer objects have been
      replaced with memoryview objects in Python 3, and UTF-8 encoding now
      really matters for string literals (Python 3 uses bytes and Unicode
      objects).

      INN documentation and samples of Python hooks have been updated to
      provide more examples.

    * When a Python or Perl filter hook rejects an article, innd now
      mentions the reason in response to CHECK and TAKETHIS commands. 
      Previously, the reason was given only for the IHAVE command.

    * nnrpd now properly logs the hostname of clients whose connection
      failed owing to an issue during the negotiation of a TLS session or
      high load average.

Changes in 2.6.2

    * A new *syntaxchecks* parameter has been added in inn.conf.  It permits
      controlling the level of checks performed by innd and nnrpd.  Up to
      now, only one check can be enabled/disabled:  when *laxmid* is
      mentioned in the values of this new parameter, INN accepts Message-IDs
      that contain ".." in the left part, as well as Message-IDs with two
      "@" (such Message-IDs would otherwise be considered as syntactically
      invalid).  See the inn.conf(5) man page for more details.

      The check is disabled by default (*no-laxmid*), which corresponds to
      the legacy behaviour of INN 2.6.1 and earlier.

    * Use of the ovdb_server helper server is now the default when using the
      ovdb overview method, that is to say the default value for the
      *readserver* parameter in ovdb.conf is now set to true.  It improves
      stability and avoids deadlocks, timing issues and corrupted ovdb
      databases.

    * mailpost now removes empty header fields before attempting to post
      articles, and keeps trace of them in the X-Mailpost-Empty-Hdrs: newly
      generated header field body.  Also, mailpost now sanitizes header
      fields with regards to empty continuation header lines.  Thanks to
      Kamil Jonca for these bug reports.

    * A new -z parameter has been added to mailpost to mention a list of
      header fields to remove from the gated message.  Thanks to Dieter
      Stussy for the patch.

    * Fixed a bug in inews that was rejecting articles containing header
      fields whose length exceeded 998 bytes.  This limitation is for the
      length of a single line of a header field (and not for the length of
      the whole header field, as it was wrongly the case).

    * Added support for GnuPG's gpg binary (in addition to gpgv) in
      pgpverify.  Indeed, gpg still validates signatures made with weak
      digest algorithms like MD5 whereas gpgv no longer do.  Thanks to
      Thomas Hochstein for the patch, which permits validating control
      articles for hierarchies that are still using old PGP keys.

    * Added similar support for GnuPG's gpg binary in perl-nocem to validate
      NoCeM notices from issuers who are still using old PGP keys.

    * A few commands listed in the "Control commands to INND" section in
      daily Usenet reports were appearing as a mere letter; all of them are
      now properly converted to meaningful words.

    * The *tlsprotocols* parameter in inn.conf now recognizes the "TLSv1.3"
      value (for OpenSSL versions implementing TLS 1.3, that is to say
      starting from OpenSSL 1.1.1).

    * The buffindexed overview method will now hopefully work properly on
      systems with a native page size larger than 16KB.

    * Other minor bug fixes and documentation improvements.

Changes in 2.6.1

    * nnrpd now uses -0000 as the time zone for Date: and Injection-Date:
      header fields it generates.  It was previously using +0000, wrongly
      systematically indicating a local time zone at Universal Time when
      *localtime* is set to false (which is the default) in readers.conf. 
      The +0000 time zone will now be used only if *localtime* is set to
      true and UTC is really the local time zone of the server.

    * Julien Elie has implemented in nnrpd the new COMPRESS command
      described in draft-murchison-nntp-compress that extends the NNTP
      protocol to allow a connection to be effectively and efficiently
      compressed.  News clients that also support that extension will be
      able to benefit from that bandwidth optimization and improvement in
      speed.  Moreover, using COMPRESS is more secure than TLS-level
      compression, as far as authentication credentials are concerned.

    * The default value for the *tlscompression* parameter in inn.conf has
      changed.  TLS-level compression is now disabled by default, to comply
      with the best current practices for a secure use of TLS in application
      protocols like NNTP.  Using the new COMPRESS command is recommended.

    * The *tlscompression* parameter in inn.conf now also permits disabling
      TLS-level compression with OpenSSL 0.9.8.  It previously had an effect
      only when OpenSSL 1.0.0 or later was used.

    * rnews no longer segfaults at startup when started setuid news.  Thanks
      to Marcus Jodorf for the bug report.

    * Fixed slow nnrpd responses for a few NNTP commands.  The TCP_NODELAY
      option was unconditionally set whereas only BSD/OS systems needed it. 
      Thanks to Christian Mock for having discovered that.

    * Articles containing a Received: or a Posted: header field are no
      longer rejected by nnrpd at injection time.

    * Articles containing control characters or whitespace-only content
      lines in their headers are now rejected by nnrpd at injection time.

    * OpenSSL 1.1.0 support has been added to INN.

    * When an encryption layer is negotiated during a successful use of the
      STARTTLS command, or after a successful authentication using a SASL
      mechanism that negotiates an encryption layer, nnrpd now updates the
      permissions of the news client according to the new secure state of
      his connection (that is to say auth blocks in readers.conf using the
      *require_ssl* parameter are taken into account).  Previously, only
      connections on a dedicated port (usually 563) were taking benefit from
      that parameter.  Thanks to Steve Crook for the bug report.

    * When a data integrity layer was negotiated during a successful SASL
      authentication, nnrpd was wrongly reseting any knowledge obtained from
      the client, such as the current newsgroup and article number.  This
      behaviour now applies only when an encryption layer is negotiated.

    * nntpsend now correctly waits until all of the child innxmit processes
      exit before it does.  It was causing nntpsend to fail to work properly
      on systems that use systemd, because when it exits prematurely,
      systemd kills all of the processes it launched, including the innxmit
      processes.  Thanks to Jonathan Kamens for the patch.

    * Update from GNU Libtool 2.4.2 to 2.4.6.

    * Other minor bug fixes and documentation improvements.

Upgrading from 2.5 to 2.6

    The following changes require your full attention because a manual
    intervention may be needed:

    * The name and location of the pullnews configuration file have changed.
      It is now pullnews.marks, located in *pathdb* when pullnews is run as
      the news user, or otherwise in the running user's home directory. 
      This file was previously stored in .pullnews in the running user's
      home directory (even for the news user).  If you use pullnews, you
      need to manually move and rename the configuration file; otherwise, it
      will no longer work.  Note that the -c flag passed to pullnews allows
      specifying another configuration file, if need be.

    * The default location of the mailpost database directory has changed
      from *pathtmp* to *pathdb*.  If you use mailpost without an explicitly
      specified database directory (using the -b flag), then you should
      manually move your current database files mailpost-msgid.dir and
      mailpost-msgid.pag from *pathtmp* to *pathdb*.

    * If you have been using TLS/SSL with nnrpd before, be aware that the
      default value of a few inn.conf parameters have changed:  the server
      now decides the preferred cipher (instead of the client), and only TLS
      protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is
      now disabled).  If you want to change these settings, the respective
      *tlspreferserverciphers* and *tlsprotocols* parameters can be tuned to
      your needs.

    * The --with-kerberos configure flag used to add Kerberos v5 support has
      been renamed to --with-krb5.

    * The --with-berkeleydb configure flag used to add Berkeley DB support
      has been renamed to --with-bdb.

    * The --enable-ipv6 configure flag no longer exists.  IPv6 is now
      unconditionally enabled, if available.

    * $HOME is no longer exported as an environment variable by
      innshellvars, innshellvars.tcl and the Perl module "INN::Config".  It
      was previously overriding the default user home directory with
      *pathnews*.  If you use these scripts in your own scripts, you will
      have to take care of that change.

    * Owing to the implementation of RFC 4643 (AUTHINFO USER/PASS) in innd,
      if remote peers have to authenticate in order to feed articles, they
      now have to send a username (which was previously wrongly optional),
      before sending their password.  The mandatory username, though
      currently unused by innd, can be whatever the remote peer wishes.  In
      previous versions of INN, inncheck was already complaining when
      passwd.nntp contained an empty username associated with a password.

      A manual review of authenticated feeds should then be done so as to
      ensure that they are properly working.

    * The Injection-Date: and Injection-Info: headers are now generated by
      nnrpd at injection time instead of the NNTP-Posting-Date:,
      NNTP-Posting-Host:, X-Complaints-To: and X-Trace: headers.  Local
      scripts that were using (for authentication, privacy, etc.) these now
      deprecated headers should be updated.  Also note that the Path: header
      of locally posted articles can also contain the contents of the
      deprecated NNTP-Posting-Host: field.

    * The two *addnntppostingdate* and *addnntppostinghost* parameters in
      inn.conf have been respectively renamed to *addinjectiondate* and
      *addinjectionpostinghost*.  innupgrade takes care of the modification
      only for inn.conf; a manual change will therefore be needed for
      readers.conf, if these parameters are overridden in this file.

    * The default values of a few inn.conf parameters have changed to make
      use of the vastly expanded storage and RAM commonly available today:
      datamovethreshold (from 8192 to 16384), msgidcachesize (from 16000 to
      64000), overcachesize (from 64 to 128), and wireformat (now enabled by
      default).

      The generation of status reports and performance timings are now also
      enabled by default:  logstatus and nnrpdoverstats parameters, with a
      frequency of 10 minutes (status and timer parameters).

    * The default value of max-queue-size has changed from 5 to 20, and
      use-mmap now defaults to true for innfeed.conf.

    If you are upgrading from a version prior to INN 2.5, see also
    "Upgrading from 2.4 to 2.5".

Changes in 2.6.0

    * The NNTP protocol requires a username to be sent before a password
      when authentication is used.  innd was wrongly allowing only a
      password to be sent by authenticated peers.  See the note above for
      more details.

    * The Lines: header is no longer generated by nnrpd at injection time.

    * The Injection-Date: header is now generated by nnrpd at injection time
      instead of the deprecated NNTP-Posting-Date: header, when
      *addinjectiondate* is set to true.  Note that *addnntppostingdate* has
      been renamed to *addinjectiondate* in inn.conf.

    * The Injection-Info: header is now generated by nnrpd at injection time
      instead of the deprecated NNTP-Posting-Host: (when
      *addinjectionpostinghost* is set to true), X-Complaints-To: and
      X-Trace: headers.  Note that *addnntppostinghost* has been renamed to
      *addinjectionpostinghost* in inn.conf.  The Path: header of locally
      posted articles now also contains the contents of the
      NNTP-Posting-Host: header.

    * A new *addinjectionpostingaccount* parameter has been added in
      inn.conf.  When set to true, the Injection-Info: header field contains
      an additional posting-account attribute that mentions the username
      assigned to the user at connection time or after authentication.  The
      default value for this parameter is false.

    * A few headers are now considered as obsolete by nnrpd at injection
      time:  NNTP-Posting-Date:, NNTP-Posting-Host:, X-Complaints-To:,
      X-Trace:, Also-Control:, Article-Names:, Article-Updates:, and
      See-Also: headers.

      Besides, nnrpd will similarly reject obsolete sendsys, senduuname and
      version control messages.

    * The presence of a Subject: header field beginning with "cmsg " no
      longer causes an article to be interpreted as a control message by
      nnrpd at injection time.

    * nnrpd no longer differentiates IHAVE from POST.  Articles injected
      with IHAVE are now treated as though they were injected with POST.  It
      means that if the previous behaviour of IHAVE was expected, innd
      should handle itself the connection instead of nnrpd.

    * The name of the pullnews configuration file is now pullnews.marks
      located in *pathdb* when pullnews is run as the news user, or
      otherwise in the running user's home directory.  It was previously
      stored in .pullnews in the running user's home directory (even for the
      news user).

    * Fixed a leak of semaphores when using buffindexed.  Thanks to Richard
      Kettlewell for having fixed the issue.

    * Building with Libtool is no longer optional.  The --enable-libtool
      option to configure has been removed.

    * DESTDIR and non-root installs are now properly supported and
      documented in INSTALL.  The "make install", "make update" and "make
      cert" steps properly obey DESTDIR.  Besides, it is no longer a
      requirement that the installation step be done by the superuser, as
      long as the user executing the install has supplied a DESTDIR value
      that points to a writable directory, *and* the person or process
      performing the install corrects the file ownerships when INN is
      installed on the system on which it's going to run.  Thanks to James
      Ralston for this support.

    * When building INN with Berkeley DB, Cyrus SASL, Kerberos v5, OpenSSL,
      or zlib support, no longer add standard locations to compiler and
      linker include flags.  Such default paths are now added only if
      explicitly given to one or more of the --with-bdb, --with-bdb-include,
      --with-bdb-lib, --with-sasl, --with-sasl-include, --with-sasl-lib,
      --with-krb5, --with-krb5-include, --with-krb5-lib, --with-openssl,
      --with-openssl-include, --with-openssl-lib, --with-zlib,
      --with-zlib-include, or --with-zlib-lib configure flags (the flags
      ending with "-include" and "-lib" are new in INN 2.6.0).

    * If the Berkeley DB, Cyrus SASL, Kerberos v5, or OpenSSL SSL and crypto
      libraries are found at configure time, INN will now be built with
      support for them unless respectively the --without-bdb,
      --without-sasl, --without-krb5, or --without-openssl flags are
      explicitly passed to configure.

      Note that it was already the default behaviour for zlib support when
      Berkeley DB support was also enabled.

    * The configure flag --enable-reduced-depends has been added to request
      that library probes assume shared libraries are in use and
      dependencies of libraries should not be probed.  It therefore tries to
      minimize the shared library dependencies of the resulting binaries on
      platforms with proper shared library dependencies.  This is not
      enabled by default, and is of interest primarily to people building
      packages for distributions.

    * Building INN with Python support now requires the use of Python 2.2.0
      or later as the distutils.sysconfig module used was introduced with
      Python 2.2.0.

    * The INN test suite driver is now fully synchronized with the upstream
      version of the C TAP Harness package maintained by Russ Allbery. 
      Keeping the INN test suite driver up-to-date will be possible thanks
      to a new getc-tap-harness script in the support directory that
      automatically fetches the latest upstream changes.

      Similarly, the new getrra-c-util script permits keeping most of the
      utility and portability functions synchronized with the upstream
      version of the rra-c-util package maintained by Russ Allbery.

    * Other minor bug fixes and documentation improvements.

Changes in 2.5.5

    * New inn.conf parameters used by nnrpd to fine-tune the TLS/SSL
      configuration have been added:  *tlsciphers*, *tlscompression*,
      *tlseccurve*, *tlspreferserverciphers*, and *tlsprotocols*.  Many
      thanks to Christian Mock for his contribution that permits tightening
      the level of security provided by TLS/SSL.

    * innwatch no longer creates a child process only for sleeping and then
      waits on that process.  The forked-off process only died after it had
      done sleeping, which caused the INN service to drop into maintenance
      state when for instance running under SMF on illumos/Solaris (since
      not all processes die within timeout).  Thanks to Lauri Tirkkonen for
      the patch.

    * innd no longer crashes if a channel is supposed to sleep but does not
      define a waker callback function.  Also, the highest file descriptor
      of sleeping channels is now properly updated.  Thanks to Petr
      Novopashenniy for the bug report.

    * Add new -i flag to both cnfsstat and innwatch to specify how many
      seconds they should sleep at startup.  It will especially be useful in
      rc.news so that these scripts are actually started and then sleep by
      themselves, instead of being started a minute after innd and therefore
      not being properly stopped if "rc.news stop" is invoked during that
      minute.

    * Add new -f flag to innwatch to specify the configuration file to use,
      in case it is not the default innwatch.ctl file.

    * Add new -t flag to mailpost to change, if needed, the default
      directory to use to temporarily store error messages that are sent to
      the newsmaster.  Two paths are now tried by default:  *pathtmp* as set
      in inn.conf, and then /var/tmp if *pathtmp* is not writable.

    * When the creation of a newsgroup needed expanding the tradindexed
      group index, an already-running nnrpd was not automatically noticing
      newly created newsgroups.  Richard Kettlewell fixed that issue.

    * Fixed flushing of CNFS buffers when using NFS storage.

    * Fixed how innupgrade is executed during an update of an INN
      installation; on a few systems like AIX, it fails to run because its
      taint mode was unproperly declared.

    * Several improvements have been contributed to pullnews by Geraint
      Edwards:  the new -a flag adds the Diablo-compatible hashfeed ability,
      the new -B flag triggers header-only feeding, the -m flag now permits
      removing headers matching (or not) a given regexp, and rnews reporting
      is improved.

    * innreport now properly takes into account the time nnrpd spends
      writing when using SASL.

    * scanlogs now only shows the first 50 lines from error log files. 
      Otherwise, all of them were present verbatim in the daily report, and
      the resulting e-mail could bounce owing to its length.  Thanks to
      Jeffrey M. Vinocur for the bug report.

    * Fixed the use of the legacy AUTHINFO GENERIC command, that has been
      broken since INN 2.4.0 (therefore proving readers probably no longer
      use that method to authenticate).  Thanks to Richard Kettlewell for
      having noticed, though, and contributed to tighten the security of the
      replies of this command.

    * Add the nnrp.access2readers.conf contribution script written by
      Jeffrey M. Vinocur to convert old-style nnrp.access file to
      readers.conf.

Changes in 2.5.4

    * An up-to-date control.ctl file is provided with this release.  You
      should manually update your control.ctl file with the new information
      recorded about Usenet hierarchies.

    * A test has been improved in innwatch.ctl so that innwatch no longer
      throttles innd when no overview directory exists.  You should manually
      update your innwatch.ctl file to get this improvement.

    * Fixed a long-standing limitation on how controlchan and pgpverify were
      checking the signer of control messages.  They now properly handle the
      case of several UIDs being defined on a single PGP key, as well as the
      presence of spaces into UIDs.  In previous versions of INN, a few
      valid control messages got ignored because of that limitation
      (fido.ger.* and grisbi.* were for instance impacted).

    * As the name of the radius.conf configuration file shipped with INN for
      the nnrpd authenticator against a RADIUS server conflicts with the
      libradius package, this file is renamed to inn-radius.conf (innupgrade
      takes care of the rename during the update).

    * The attributes hash is now accessible to nnrpd Perl posting filter. 
      As a result, filter_nnrpd.pl can make use of it.  Only authentication
      and access Perl hooks could previously use the attributes hash. 
      Thanks to Steve Crook for this addition.

    * INN now properly builds fine with flex 2.5.36 (this version introduced
      a change of type for a variable used by INN).

    * When using funnel feeds, innfeed log files were open forever, which
      resulted in empty log files, once rotated by scanlogs.  innfeed now
      reopens its log files upon receiving a HUP signal; this signal is in
      particular sent by scanlogs during log rotation.  Thanks to Florian
      Schlichting for the patch.

    * Exploder and process channels are now reopened when "ctlinnd
      flushlogs" is used.  Otherwise, they could hold open an already
      deleted errlog file.  The issue affected in particular controlchan or
      ninpaths, running as such channels.

    * Fixed a buffer overflow when using imapfeed with more than a million
      commands during the same IMAP session.  Thanks to David Binderman for
      the bug report.

    * Fixed a segfault occurring in innd on systems where time_t is a 64-bit
      integer.  Thanks to S.P. Zeidler for the patch.

    * Fixed a segfault occurring in nnrpd when a res block was used in
      readers.conf without the program: key.

    * Fixed an issue where users were denied posting because of an
      overlapping buffer copy in a check nnrpd was doing.  Thanks to Florian
      Schlichting for the patch.

    * Fixed a regression that occurred in INN 2.5.3 regarding the path used
      by default by pullnews for its configuration file.  Instead of looking
      in the running user's home directory, it was looking in the *pathnews*
      directory set in inn.conf.  Thanks to Tony Evans for the bug report.

    * When neither wget nor ncftpget nor ncftp was found at configure time,
      the path to the simpleftp substitution program shipped with INN was
      not properly set in innshellvars, innshellvars.pl, and the
      "INN::Config" Perl module.  Thanks to Christian Garbs for the bug
      report.

    * ckpasswd no longer tries to use the ndbm compatibility layer provided
      by Berkeley DB if Berkeley DB has been built without ndbm support. 
      Also add support for gdbm libraries in ckpasswd.

    * Fixed a Perl warning in inncheck; using "defined(@array)" has been
      deprecated since Perl 5.16.

    * Fixed the occurrence of an unexpected "cant select" error generated by
      innd.  Thanks to Paul Tomblin for having caught that long-standing
      issue.

    * When building INN with Berkeley DB support, no longer add -L/usr/lib
      to the linker include flags; unconditionally adding it may break the
      build on systems using lib32 and lib64 directories.

    * On a fresh INN install, motd.innd and motd.nnrpd are no longer
      installed by default.  Instead, samples for these files are provided
      in *pathetc*, named differently so that their default contents are not
      displayed to news clients before they get customised.

    * Other minor bug fixes and documentation improvements (like the
      addition in the readers.conf man page of the log: and program:
      parameters in res blocks, and the include directive).

Changes in 2.5.3

    Please note that the HTML_STATUS compile-time option has been replaced
    with the *htmlstatus* parameter in inn.conf.  If you used HTML_STATUS,
    you should set *htmlstatus* accordingly.

    A confusion in the name of a key in innfeed.conf existed in the source
    code.  Make sure that the misspelled, undocumented *backlog-limit-high*
    key is *not* used in your innfeed.conf file; its real name is
    *backlog-limit-highwater*.  You should rename the key in case it is
    present in your configuration file.  Otherwise, it will not be taken
    into account.  You can run inncheck to verify that the syntax of this
    file is correct.

    It is generally recommended to run inncheck after any changes done to
    configuration files, especially with the new improved version of this
    script shipped with INN 2.5.3, thanks to the hard work of Florian
    Schlichting who added support for the syntax of incoming.conf,
    innfeed.conf, readers.conf and storage.conf.

    An up-to-date control.ctl file is provided with this release.  You
    should manually update your control.ctl file with the new information
    recorded about Usenet hierarchies.

    * When HDR/XHDR/XPAT were used on a new article coming into a newsgroup,
      requesting a header not present in the overview database, the first
      subsequent OVER/XOVER command did not show that article.  A remap of
      the overview data file was missing in nnrpd.  Thanks to Sam
      Varshavchik for the bug report.

    * When a header field appeared more than once in an article, it was
      missing from the overview data.  OVER/XOVER, as well as HDR/XHDR/XPAT
      using the overview, were therefore returning an empty field.  The
      content of the first occurrence is now returned, in accordance with
      RFC 3977.

      Perl and Python filters for innd now also properly initialize their
      header variables with the first occurrence of header fields.  (It is
      still the last occurrence for the Perl filter for nnrpd.)

    * Fixed a possible plaintext command injection during the negotiation of
      a TLS layer.  The vulnerability detailed in CVE-2011-0411 (and
      CVE-2012-3523, specifically for INN) affects the STARTTLS and AUTHINFO
      SASL commands.  nnrpd now resets its read buffer upon a successful
      negotiation of a TLS layer.  It prevents malicious commands, sent
      unencrypted, from being executed in the new encrypted state of the
      session.

    * Fixed a regression that occurred in INN 2.5.0 when leading whitespace
      characters have been made significant in header field bodies.  It
      could lead INN to drop articles and throttle itself when running as a
      slave because Xref: header fields generated by other news servers, or
      even INN 2.4.6, could contain (valid) leading whitespace.  Thanks to
      Matija Nalis for having caught this bug.

    * Fixed an invalid 431 response to CHECK commands when innd is paused:
      the message-ID of the article to defer was missing.  Also fixed
      another issue in the messages innd replied; when an error occurred
      during a write on a channel, a trailing extra junk byte was added to
      the reply.  Thanks to River Tarnell for these bug reports.

    * It is now possible to properly generate daily statistics with
      sendinpaths thanks to the new -k and -r flags that permit controlling
      the interval of days for processing dump files.  The new -c flag
      permits sending a copy of the generated e-mail to the newsmaster.

      Also fixed an issue with statistics that could be missing or
      duplicated for a couple of days when monthly sent.

      The documentation has been updated and mentions a preferred daily run
      of sendinpaths.  This script is a complete rewrite in Perl, and is
      based on Mohan Kokal's initial work.

    * cnfsheadconf now properly recognizes continuation lines in
      cycbuff.conf, that is to say lines ending with a backslash ("\"). 
      Thanks to John F. Morse for the bug report.

    * The order of CNFS buffers in a metacycbuff is now properly read and
      written by cnfsheadconf.  There previously was a confusion between
      hexadecimal and decimal values.  Thanks again to John F. Morse.

    * When the -l flag is given to cnfsstat, the cycbuff.conf and
      storage.conf files are now reloaded if they have been modified since
      the previous output of cnfsstat.

    * A single header field line is limited to 998 bytes, per RFC 5536. 
      innd was previously accepting, and also generating Xref: header field
      lines, up to 1022 bytes.  Now, nnrpd (acting as an injecting agent)
      rejects articles which contain header field lines whose length exceeds
      998 bytes.  And innd (acting as a relaying or serving agent) no longer
      checks that.

    * nnrpd advertises the COUNTS, DISTRIBUTIONS, MODERATORS, MOTD and
      SUBSCRIPTIONS variants of the LIST command in response to
      CAPABILITIES.  These commands already existed in nnrpd but RFC 6048
      had not yet been published.

    * Add support for LIST MOTD in innd.  Consequently, the motd.news
      configuration file which was previously used only by nnrpd is renamed
      to motd.nnrpd (innupgrade takes care of the rename).  innd uses the
      new motd.innd file in *pathetc* for its message of the day.

    * Fixed an issue at configure time that made INN wrongly assume that
      OpenBSD (4.6) didn't support Unix-domain sockets.  Thanks to Wim Lewis
      for the patch.

    * Fixed an issue on systems which do not have a working flock(2)
      function (Solaris, for instance).  mailpost and pullnews are reported
      not to be usable on such systems.  Many thanks to Dennis Davis for the
      bug report.

      A wrapper around shlock is now called in Perl scripts.  The
      INN::Utils::Shlock module has been added for that use.

    * Fixed an issue in the Python access hook for nnrpd:  it has not been
      working since Python 2.5 on 64-bit platforms, owing to a change to
      Python's C API, using a new Py_ssize_t type definition instead of int.
      Thanks to Raphael Barrois for the patch.

    * Improve the stability of the Perl filters for innd and nnrpd: properly
      save and restore the stack pointer when needed.

    * The Injection-Date: header, when present, is now used by innd and
      makehistory to determine the posting date of an article.  Otherwise,
      the Date: header is used.

    * controlchan now imposes a date cutoff on processing control articles. 
      The *artcutoff* parameter set in inn.conf is used.  Otherwise, without
      that cutoff, old control articles could be maliciously reinjected into
      Usenet, and replayed.  (An unsigned Injection-Date: header field could
      be added to an article that only had a Date: header field.)  A new -c
      flag has been added to controlchan to disable the cutoff check, if
      needed (usually when manually invoking the program).

    * nnrpd no longer adds or updates the Path: header field when an article
      is forwarded to a moderator.  It could otherwise lead to rejects at
      injection time when the article was approved by the moderator.

    * The X-Trace: header field was not properly generated when an article
      was locally posted.  The field mentioning the IP address was skipped,
      resulting in a wrong syntax for this header.  The local "127.0.0.1" IP
      address is now used.  Besides, "localhost" is now mentioned instead of
      an obscure "stdin" in injection header fields.

    * Fixed a bug in the frequency innfeed logs its status:  too many
      useless lines were written to news.notice.  Thanks to Florian
      Schlichting for the fix.

    * When unset in innfeed.conf, the *dynamic-method* parameter now
      properly defaults to 3 (instead of 0) and *use-mmap* to false (instead
      of true).  These two values were already the recommended ones in the
      documentation and the sample file.  Note that *use-mmap* is only used
      when innfeed is given file names to send instead of storage API
      tokens, which is a fairly rare use case.

    * innfeed no longer generates an error message (logged in news.err) when
      a parameter is not defined in innfeed.conf.  All the parameters have a
      default value, so there is no need to warn the user if they are not
      present in innfeed.conf.  Thanks to Dieter Stussy for having reported
      this problem.

    * Implement an upper limit to the number of file descriptors innd can
      handle.  At most (FD_SETSIZE-1) file descriptors can be used.  This
      upper limit now overrides any superior number set with *rlimitnofile*
      in inn.conf.  Thanks to Steve Crook for the bug report.

    * A default timeout on outgoing sockets (using NNTPconnect) has been
      added by Florian Schlichting.  For a long time, there have been
      occasional problems with actsync (and probably other programs) that
      would hang until manually killed or restarted.

    * The flag -S has been added to innd by Florian Schlichting.  When used,
      innd reports the errors found in incoming.conf and exits.

    * pullnews no longer stops processing newsgroups when an error occur
      during its run (for instance when a newsgroup mentioned in the
      configuration file is removed from an upstream server).  Besides, it
      can now use authentication when posting to the downstream server.

      A few other minor bugs have been fixed as for the way pullnews counts
      the articles.

    * Fixed the way innreport handles leap years.  It now properly generates
      HTML reports; dates were assumed to be relative to the current year,
      which may break their computation during for instance the whole 2012
      leap year.  Please note that no HTML reports have been lost, and that
      they will appear when INN is updated to this new version.

    * A new parameter has been added to inn.conf to determine whether the
      status file that innd can write out (depending on the value of the
      *status* parameter) is plain text or wrapped in HTML.  It previously
      only was a compile-time option, set to true by default.  Florian
      Schlichting added the *htmlstatus* parameter to provide a configurable
      behaviour.

    * It is now possible to run a script at the end of the execution of
      innshellvars scripts.  If a file named innshellvars.local,
      innshellvars.pl.local or innshellvars.tcl.local is present and
      executable in *pathetc*, then it will be executed by the corresponding
      innshellvars script (respectively shell, INN::Config Perl module, and
      Tcl).  A typical use is to add or override variables.

    * Add support for wire-formatted articles in scanspool.

    * A lot of work on cleaning old perl4-style code has been done by
      Florian Schlichting.

    * inncheck now generates a proper non-zero exit value when errors are
      found, and allows quiet mode with the -q flag.  Florian Schlichting
      has greatly improved this script in many regards, especially with a
      config-syntax parser for incoming.conf, innfeed.conf, readers.conf and
      storage.conf.

    * inncheck now properly finds the boundaries of substituted variables in
      newsfeeds thanks to Alexander Bartolich.

    * docheckgroups no longer uses awk.  On a few systems, the script was
      failing because of the presence of an old version of awk that has a
      limit in the size of the input it can handle.  Processing large
      newsgroups files was consequently impossible.  docheckgroups now uses
      Perl instead of awk, which solves the issue reported by John F. Morse.

    * Other minor bug fixes and documentation improvements.  In particular,
      the *debug-shrinking*, *fast-exit* and *initial-sleep* keys in
      innfeed.conf are now documented.  The function "filter_end()", called
      when Perl filtering is turned off, is also documented for the innd and
      nnrpd Perl filters.

Changes in 2.5.2

    The way checkpoints are handled by innreport for innd and innfeed has
    totally changed to provide more accurate daily statistics.  The first
    Usenet report after an upgrade to INN 2.5.2 will probably contain
    incorrect statistics for incoming and outgoing articles because the
    beginning of the log files that will be used was generated by a previous
    version of INN.

    A new version of innreport.conf is shipped with INN 2.5.2 but, in order
    to preserve any local changes, will not be automatically installed with
    make update.  The changes are minor and not mandatory for the upgrade.

    * Julien Elie has implemented in innd the new version of the NNTP
      protocol described in RFC 3977, RFC 4643 and RFC 4644, and innd now
      recognizes the CAPABILITIES command.  Despite these standards, three
      commands (IHAVE, CHECK and TAKETHIS) will continue, for
      interoperability reasons, to return a reject code (respectively 435,
      438, and 439) when the command contains a syntax error instead of 501.
      The mandatory username argument for authenticated peers is not
      enforced in INN 2.5.2 but will be be enforced by INN 2.6.0 when it is
      released.

      Major improvements are:

      * innd now has a decent parser for NNTP commands.  The parser is more
        correct (commands like "IHAVE<mid>", without a space between the
        command and its argument, are no longer valid) and allows leading
        and trailing whitespaces in commands.  innd also now checks the
        length of the NNTP command sent by the client.  If the command
        contains more than 512 bytes (or 497 bytes for an argument), an
        error is returned and the command is discarded.  After ten
        unrecognized commands, innd closes the connection with the
        appropriate code (400 instead of 500).

      * The output of the HELP command specifies the arguments expected by
        NNTP commands, similar to nnrpd's HELP command.

      * LIST ACTIVE, LIST ACTIVE.TIMES and LIST NEWSGROUPS now allow an
        optional wildmat argument to restrict the results of those commands
        to specific newsgroups.

      * When using HEAD or STAT with an article number or a range, 412 (no
        group selected) is now returned instead of 501 (syntax error).

    * Jeffrey M. Vinocur has implemented support in both innd and nnrpd for
      whitespace in usernames/passwords provided with AUTHINFO USER/PASS. 
      They were previously treated as invalid arguments or incorrectly
      parsed.  innd and nnrpd now treat everything after the first
      whitespace character following AUTHINFO USER/PASS, up to, but not
      including, the final CRLF, as the username/password, in conformity
      with RFC 4643.

    * The syntax of message-IDs is now based on RFC 5536 (USEFOR) instead of
      RFC 1036.  The major change is that quoted-pairs have been removed
      from the syntax.

    * The Perl and Python filters for innd now check the message-ID of
      articles arriving through TAKETHIS.  Only CHECK and IHAVE commands
      previously used them.

    * Case-insensitive matches are now used for distributions, path
      identities, IMAP commands, header names, and control commands. 
      (Newsgroups are still matched case-sensitively.)  Message-IDs are
      case-sensitively matched, except for history hashes.

    * The new Archive:, Archive-At:, Comments:, and Summary: header fields
      defined in RFC 5064 and RFC 5536 can be used in innd filters.  nnrpd
      now checks at injection time that an article does not contain an
      Injection-Info: header, that an Injection-Date: header (if provided)
      is valid, and that the Path: header does not contain ".POSTED".  Note
      that INN does not yet generate these two injection fields or include
      the new Path: header field ".POSTED" keyword.  These new features will
      be in the next major release of INN.

    * LIST SUBSCRIPTIONS now accepts an optional wildmat argument to
      restrict the results of this command to specific newsgroups.

    * nnrpd now supports a new LIST variant named COUNTS.  LIST COUNTS is a
      combination of LIST ACTIVE and GROUP.  It returns the same result as
      LIST ACTIVE except that the number of articles in a newsgroup is
      inserted before its status.

    * A new flag has been added to newsfeeds entries: "Aj", when present,
      says to feed articles accepted and filed in "junk" (due to
      *wanttrash*) to peers based on their newsfeeds feed patterns applied
      to the Newsgroups: header as though the article were accepted and all
      those groups were locally carried.  This is useful if you want to run
      INN with a minimal active file and propagate all posts.  Thanks to
      Andrew Gierth for the patch.

    * A new parameter has been added to inn.conf: *logtrash* defines whether
      a line for articles posted to groups not locally carried by the news
      server should be added in the news log file to report unwanted
      newsgroups.  The default is true but it can be useful to set it to
      false (especially when *wanttrash* is also used).

    * The procbatchdir keyword has been added to news.daily to specify the
      backlog directory of innfeed.  This is useful when several instances
      of innfeed are running or when its configuration file is not the
      default one.

    * sm now supports a new flag, -c, which shows a decoded form of the
      storage API token.  This was previously done by the contrib showtoken
      script developed by Olaf Titz and Marco d'Itri.

    * The O flag in newsfeeds now relies on the contents of the
      Injection-Info: header field if it is present to determine the origin
      of an article.  It falls back on X-Trace: if there is no
      Injection-Info: header field.

    * A new "unsigned long" type bas been added to the configuration parser.
      It will properly warn the news administrator when a variable supposed
      to be positive contains a negative integer.  It will prevent INN from
      crashing due to misconfiguration at several places where it did not
      expect negative values.

    * innxbatch and innxmit now recognize the new 403 code introduced by
      RFC 3977 for a problem preventing the requested action from being
      taken.

    * HDR and OVER commands now return the correct 423 code (instead of 420)
      when the current article number is used but the article no longer
      exists.

    * actsync, inews, innxbatch, innxmit, nntpget and rnews can now
      authenticate to news servers which only expect a username, without
      password, conforming to RFC 4643.

    * The keyword generation code now generates a Keywords: header only if
      the original article does not already have one.  The generated
      Keywords: header no longer begins with a comma.  If keyword generation
      is set to true in inn.conf but the Keywords: header is not stored in
      the overview, the news administrator is warned and keyword generation
      deactivated, since it exists only to populate the overview data.

    * Two segfaults in keyword generation were fixed.  The first occurred
      when an article already had a Keywords: header longer than the
      *keylimit* parameter.  The second was caused by a possible invalid
      pointer beyond the newly allocated Keywords: header.

    * Fixed innd handling of empty lines.  innd was not properly discarding
      an empty command and was closing the connection when it received only
      whitespace in a command.

    * Fixed a bug in how innd responded to reader commands when readers were
      not allowed.  A superfluous blank line was sent in its response.

    * Fixed a bug in innd's response to TAKETHIS when authentication is
      required.  Previously, 480 code was returned immediately without
      accepting the multi-line data block first, which broke synchronization
      in the NNTP protocol.

    * Fixed a bug in recognizing the article terminator when empty articles
      were fed to innd via IHAVE or TAKETHIS, leading to treating subsequent
      NNTP commands as part of the article.

    * When innd could not provide information for LIST ACTIVE.TIMES and LIST
      NEWSGROUPS, it was returning an invalid error message without a
      response code.  The proper 503 answer code is now returned.

    * When an unauthenticated user tried to post an article, nnrpd replied
      440 (posting not allowed) instead of the correct 480 (authentication
      required) response if the user might be able to post after
      authentication.  Thanks to Daniel Weber for the bug report.

    * Fixed a bug in both innd and nnrpd answers to LIST commands where the
      output was not checked for valid dot stuffing.

    * Fixed a bug leading to junked non-control articles being sent to
      control-only feeds, and also fixed handling of poisoned control
      groups.  Thanks to Andrew Gierth for the patch.

    * Fixed a bug in innreport leading to incorrect summing of innd stats
      when *hostname* was set to an IPv6 address instead of a fully
      qualified domain name.  Thanks to Petr Novopashenniy for the bug
      report.

    * Changed how innreport uses innd and innfeed checkpoint messages. 
      Previously, connections held open for multiple days led to skewed and
      incorrect statistics on how many articles had been received or sent. 
      The count is now more accurate and, for each connection of a feed,
      only depends on *incominglogfrequency* in inn.conf and *stats-period*
      in innfeed.conf.

    * Fixed a bug in nnrpd Perl filter: a header field whose name begins
      with the name of a standardized header field was not properly handled.

    * Fixed a bug in how innd was parsing Message-ID: and Supersedes:
      headers which contained trailing whitespace.  The article was
      corrupted by an unexpected "\r" in the middle of the header.  nnrpd
      now checks the syntax of the Message-ID: header field, if present.

    * Fixed various bugs in how leading whitespace was treated in headers. 
      The HDR, XHDR and XPAT commands were not properly showing leading
      whitespace in header values.  Lone "\n" and "\r" characters are now
      changed into spaces and "\r\n" is just removed.  archive, makehistory,
      and tdx-util now keep leading whitespace in headers when generating
      overview data, and archive now changes "\n" (when not preceded by
      "\r") into a space when generating overview data.

    * Fixed a bug in the generation of overview data which may corrupt
      previously generated overview data when a pseudo Xref: header field is
      injected in an extra overview field.

    * Fixed a bug in the parsing of the *ovgrouppat* wildmat in inn.conf
      that prevented overview data from being generated when poisoned groups
      were specified but a latter sub-pattern matched the group.  A uwildmat
      expression is now correctly handled, and a potential segfault has been
      fixed.  Thanks to Dieter Stussy for the bug report.

    * Fixed a bug when HDR, XHDR and XPAT were used when *virtualhost* was
      set to true in readers.conf.  The Xref: header of articles posted to
      only one newsgroup appeared empty.

    * Fixed a bug in tdx-util in parsing empty overview fields when called
      with -A or -F.

    * Fixed a bug in cvtbatch, which was returning only the size of the
      headers of an article when the "b" parameter was used with the -w
      flag.  It now correctly returns the size of the whole article, which
      is what "b" was documented to do.  cvtbatch also has a new "t"
      parameter, which can be used with the -w flag to retrieve the arrival
      time of an article.

    * Fixed a bug in how mailpost handles cross-posting feature.  It was not
      properly detaching from sendmail.  Thanks to Harald Dunkel for the
      patch.

    * Fixed a bug in the newsfeeds C flag: the count of followup groups was
      one less than the real number.  When the value of the Followup-To:
      header field is "poster", it is no longer considered to be a followup.
      Thanks to Dieter Stussy for the patch.

    * When using tradindexed, the overview data for a cancelled article is
      now immediately removed from the overview.  Thanks to Lars Magne
      Ingebrigtsen for the patch.

    * batcher has not supported the retrieval of an article with its file
      name for a long time.  The -S flag has therefore been removed.

    * inews no longer rejects articles that contain more than 50 header
      fields.  Thanks to Torsten Jerzembeck for the bug report.

    * news.daily no longer sends superfluous mails when the nomail keyword
      is given.  Mail is only sent when there is real output.  Previously,
      there would always be headings and empty lines left over from the
      structuring of the full report, which are now omitted.  Also, the
      output of programs executed with postexec is now included in the
      regular mail.  Thanks to Florian Schlichting for the patch.

    * innconfval no longer maps NULL string or list values to an empty
      string or list and instead maps them to undefined values.  This fixes
      an issue reported by Kamil Jonca: nnrpd was inserting an empty
      Organization: header when the *organization* parameter in inn.conf was
      unset.

    * Other minor bug fixes and documentation improvements.

Changes in 2.5.1

    * Fixed a segfault in imap_connection which could occur when SASL was
      used.

    * Fixed a segfault in the keyword generation code which was assuming
      that an article was nul-terminated.  Fixed another segfault in the
      keyword generation code when an article already contained a Keywords:
      header.  Thanks to Nix for the bug reports.

    * Owing to the US-CERT vulnerability note VU#238019, Cyrus SASL library
      has slightly changed.  imap_connection and nnrpd now handle that
      change.  Otherwise, some answers are too long to be properly computed
      during SASL exchanges.

    * Fixed a memory allocation problem which caused nnrpd to die when
      retrieving via HDR/XHDR/XPAT the contents of an extra overview field
      absent from the headers of an article.  The NEWNEWS command was also
      affected on very rare cases.  Thanks to Tim Woodall for the bug
      report.

    * HDR/XHDR/XPAT answers are now robust when the overview database is
      inconsistent.  When the overview schema was modified without the
      overview database being rebuilt, wrong results could be returned for
      extra fields (especially a random portion of some other header).  The
      desired header name is now explicitly searched for in the overview
      information.

    * Fixed the source which is logged to the news log file for local
      postings when the local server is not listed in incoming.conf.  A
      wrong name was used, taken amongst known peers.  The source is now
      logged as "localhost".

    * Fixed a bug in the timecaf storage method:  only the first 65535
      articles could be retrievable in a CAF, though everything was properly
      stored.  (A Crunched Article File contains all the articles that
      arrive to the news server during 256 seconds.)

      The storage token now uses 4 bytes to store the article sequence
      number for timecaf, instead of only 2 bytes.  Thanks to Kamil Jonca
      for the bug report and also the patch.

    * Fixed a bug in both timecaf and timehash which prevented them from
      working on systems where short ints were not 16-bit integers.

    * When there is not enough space to write an entire CAF header, the
      timecaf storage manager now uses a larger blocksize.  On 32-bit
      systems, the CAF header is about 300 bytes, leaving about 200 bytes
      for the free bitmap index (the remaining of a 512-byte blocksize).  On
      64-bit systems, the size of the CAF header could exceed 512 bytes,
      thus leaving no room for the free bitmap index.  A 1 KB blocksize is
      then used, or a larger size if need be.

    * A new CNFS version has been introduced by Miquel van Smoorenburg in
      the CNFS header.  CNFSv4 uses 4 KB blocks instead of 512 bytes, which
      more particularly makes writes faster.  CNFSv4 supports
      files/partitions up to 16 TB with a 4 KB blocksize.

      Existing CNFS buffers are kept unchanged; only new CNFS buffers are
      initialized with that new version.

    * grephistory -l now returns the contents of the expires history field
      as well as the hash of the message-ID.  Besides, when the storage API
      token does not exist, grephistory -v now also returns the hash of the
      requested message-ID.

    * The check on cancel messages when *verifycancels* is set to true in
      inn.conf has been changed to verify that at least one newsgroup in the
      cancel message can be found in the article to be cancelled.  This new
      feature is from Christopher Biedl.

      The previous behaviour was to check whether the cancel message is from
      the same person as the original post, which is extremely easy to
      spoof; besides, RFC 5537 (USEPRO) mentions that "cancel control
      messages are not required to contain From: and Sender: header fields
      matching the target message.  This requirement only encouraged cancel
      issuers to conceal their identity and provided no security".

    * The way the "/remember/" line in expire.ctl works has changed. 
      History retention for an article was done according to its original
      arrival time; it is now according to its original posting date. 
      Otherwise, unnecessary data may be kept too long in the history file.

      To achieve that, the HISremember() function in history API now expects
      a fourth parameter:  the article posting time.

      Note that article expiration has not changed and is still based on
      arrival time, unless the -p flag is passed to expire or expireover, in
      which case posting time is used.

    * The default value for "/remember/" has changed from 10 to 11 because
      it should be one more than the *artcutoff* parameter in inn.conf, so
      that articles posted one day into the future are properly retained in
      history.

    * auth_krb5 has been rewritten by Russ Allbery to use modern Kerberos
      APIs.  Note that using ckpasswd with PAM support and a Kerberos PAM
      module instead of this authenticator is still recommended.

    * A new -L flag has been added by Jonathan Kamens to makehistory so as
      to specify a load average limit.  If the system load average exceeds
      the specified limit, makehistory sleeps until it goes below the limit.

    * As UTF-8 is the default character set in RFC 3977, "ctlinnd pause",
      "ctlinnd readers", "ctlinnd reject", "ctlinnd reserve", "ctlinnd
      throttle" and "nnrpd -r" commands now require the given reason to be
      encoded in UTF-8, so that it can be properly sent to news readers. 
      The creator's name given to "ctlinnd newgroup" is also expected to be
      encoded in UTF-8.

    * The output of consistency checks for article storage and the history
      file no longer appears by default when "cnfsstat -a" is used.  A new
      -v flag has been added to cnfsstat so as to see it.

    * The default path for TLS certificates has changed from *pathnews*/lib
      to *pathetc*.  It only affects new INN installations or generations of
      certificates with "make cert".  Besides, a default value has been
      added to *tlscapath* because it is required by nnrpd when TLS is used.

    * gzip(1) is now the default UUCP batcher in send-uucp instead of
      compress(1) because gzip is more widely available than compress, due
      to old patent issues.  Note that there is no impact on decompression
      as it is handled by rnews.

    * cnfsheadconf now uses the Perl core module "Math::BigInt" rather than
      the deprecated bigint.pl library.  When used without specifying a CNFS
      buffer, it now properly displays the status of all CNFS buffers.

Upgrading from 2.4 to 2.5

    The following changes require your full attention because a manual
    intervention may be needed:

    * In order to process control messages, controlchan now needs the
      "MIME::Parser" module.  Packages are available from most
      distributions, or you can install the module directly from CPAN
      ("MIME-tools" in modules/by-module/MIME/, for instance on
      ftp.perl.org).

      Perl 5.8.0 or later is recommended for INN.  If you are using an
      earlier version, you will also need the "Encode" module for correct
      processing of control messages.  (It is included with Perl itself in
      5.8.0 and later.)

    * Checkgroups control messages are now differently handled by
      controlchan: all matching lines in control.ctl will be used for a
      given checkgroups and a doit action will really be executed (adding,
      removing and changing the status of newsgroups).  You should make sure
      that your local configuration does not rely on the previous behaviour
      of only mailing changes, without actually performing them.

    * You should use the new control.ctl.local file shipped with INN in
      *pathetc* and, at the same time, update your control.ctl and
      moderators files.  Also make sure that your active.times, distrib.pats
      and newsgroups files are properly encoded in UTF-8, as it is strongly
      recommended by RFC 3977.

    * The overview.fmt file is no longer used by INN.  Two new parameters
      have been added to inn.conf:  *extraoverviewadvertised* and
      *extraoverviewhidden*.  Although innupgrade takes care of the change
      during "make update", you should make sure that your overview database
      is consistent with all the fields declared in overview.fmt because
      they will all be advertised, and "Xref:full" forced as the eighth
      overview field.  See the inn.conf(5) man page for more information
      about these parameters.

    * The innreport configuration file has slightly changed.  The new
      innreport.conf file shipped with INN should be used and your possible
      changes backported to this new version.

    * The $SPOOLBASE variable has been renamed to $SPOOLDIR in innshellvars
      in order to be more consistent.  It impacts shell scripts only.  If
      you import innshellvars and use that variable in your scripts, you
      will have to rename it.

    * gpgverify is no longer included in INN, pgpverify now has better
      support for GnuPG and should be used instead.

    * The auth_smb authenticator program to check passwords with an SMB
      authentication is no longer included in INN.  It was a stripped-down
      version of pam_smbpass, wasn't maintained, and likely had security
      problems.  To authenticate to an SMB server such as Samba, use PAM and
      ckpasswd's PAM support instead.

    The parameters used by nnrpd to provide TLS support are now *tlscafile*,
    *tlscapath*, *tlscertfile* and *tlskeyfile* in inn.conf.  The sasl.conf
    file used for that in previous versions of INN is obsolete.  innupgrade
    takes care of the change during "make update".

    The *nntpactsync* parameter has been renamed to *incominglogfrequency*
    in inn.conf; innupgrade handles this renaming during the update.

    In newsfeeds, innfeed should be run directly rather than through
    startinnfeed.  innupgrade will attempt to take care of this modification
    during "make update".

    When starting innd by hand, innd can just be run directly rather than
    using inndstart.  If you get error messages about resetting the file
    descriptor limits, you may need to increase the file descriptor limits. 
    See the sample init script in contrib for an example of how to do this.

    If you are upgrading from a version prior to INN 2.4, see also
    "Upgrading from 2.3 to 2.4".

Changes in 2.5.0

    * Ken Murchison has contributed SASL authentication support for nnrpd,
      implementing the AUTHINFO SASL section of RFC 4643.  If the
      --with-sasl option is given to "configure", nnrpd will be able to
      authenticate clients via secure SASL mechanisms.

    * Julien Elie has implemented in nnrpd the new version of the NNTP
      protocol described in RFC 3977, RFC 4642 and RFC 4643.  Consequently,
      nnrpd now recognizes the CAPABILITIES command, the HDR and LIST
      HEADERS commands, the second optional argument to specify a range of
      articles to LISTGROUP, the OVER command, as well as the ":bytes" and
      ":lines" metadata items.

    * Heath Kehoe has added the ability to compress overview data before it
      is stored in ovdb.  It significantly improves the performance of this
      storage method and reduces the time spent by expireover.  See the new
      --with-zlib option to "configure" and the ovdb(5) man page.

    * Alexander Bartolich has greatly improved innreport and especially its
      XHTML output (a XSL transformation is also provided, if needed, in
      innreport-filter.xslt, in the contrib directory).

    * inndstart and startinnfeed are no longer part of INN and are no longer
      used.  Instead, a separate setuid root helper program written by Russ
      Allbery is used to bind to the news ports (and does only that), and is
      run by innd and nnrpd when necessary.  This means that INN may not be
      able to increase file descriptor limits for itself the way that it
      could before.  If you get error messages about resetting the file
      descriptor limits, you may need to increase the file descriptor limits
      as root before running rc.news as the news user.  See the sample init
      script in contrib for an example of how to do this.  More information
      on file descriptor limits can be found in INSTALL.

    * INN's IPv6 support was largely rewritten by Russ Allbery.  IPv4 and
      IPv6 are now handled through the same code wherever possible, the new
      IPv6-aware APIs are used everywhere possible, and replacement
      functions are provided for systems that don't have them yet.  The
      network code is now much more centralized, eliminating lots of
      duplicate code and adding better IPv6 support to some utilities.

    * INN now uses autoconf 2.61 or later for configuration.  As a result,
      some "configure" options have changed slightly and more of the
      standard --*dir options should be supported in lieu of the old
      INN-specific options.  See "configure --help" for the available
      options.

    * Thanks to Kirill Berezin, the buffindexed overview method now supports
      buffers larger than 2 GB.  It is not necessary to compile INN with
      large file support to use such large buffers with buffindexed. 
      Buffindexed is now also more robust with mmaped files and uses more
      optimized data placement.

    * tinyleaf, a miniature IHAVE-only leaf server written by Russ Allbery,
      is now included.  See the tinyleaf(8) man page for more information.

    * controlchan recognizes the new application/news-groupinfo entity
      described in USEPRO and can handle character set conversions of
      newsgroup descriptions.  The "MIME::Parser" and "Encode" modules are
      used.  Processing control messages has been greatly improved,
      especially checkgroups:  the active and newsgroups files are now
      properly updated when they are processed, and all matching lines in
      control.ctl for a given checkgroups are honoured (which for instance
      allows using both drop and doit actions for the same checkgroups
      message).

      A new control.ctl.local file has also been added in *pathetc*.  Rules
      set in that file override rules in control.ctl, allowing
      administrators to specify local rules for some control messages
      without modifying the control.ctl configuration file that comes with
      INN.  It also specifies encodings to use for the newsgroups file.  By
      default, UTF-8 will be used for newsgroup descriptions, as strongly
      recommended by RFC 3977.

    * The Perl and Python *filter_mode* hooks are now called when innd is
      shutting down via either "ctlinnd shutdown" or "ctlinnd xexec" with a
      new mode value of "shutdown".  This will allow the Perl hooks to save
      filter data across innd restarts without requiring that the news
      administrator throttle the server first.  (Python already had a
      separate close hook that is also called.)

    * The legacy innshellvars.pl script has been replaced with a real INN
      Perl module "INN::Config" for Perl programs.  The location of Perl
      modules can be set with the --with-libperl-dir option to "configure". 
      All Perl scripts shipped with INN have been converted to use that
      module.  You may want to consider using "INN::Config" in your Perl
      scripts, though innshellvars.pl is still provided with INN.

    * Support for embedded Tcl filters in innd has been removed.  It hasn't
      worked for some time and causes innd crashes if compiled in (even if
      not used).  If someone wants to step forward and maintain it, we
      recommend starting from scratch and emulating the Perl and Python
      filters.

    * If *strippath* is set in readers.conf, the whole user-supplied Path:
      header will now be stripped.  Previously, the final component of the
      user-supplied Path: would still be retained.

    * news2mail can now set the envelope-from address of the mails it sends.
      A third optional part in news2mail.cf entries has been added by
      D. Stussy to achieve that.

    * The -g option to nnrpd is no longer supported.  If you are verifying
      passwords against the system password database, see the ckpasswd(8)
      man page, and in particular the -s option.  (A much better idea would
      be to just use PAM, which ckpasswd supports.)

    * Fixed a bug in "ctlinnd renumber" which was resetting the low and high
      water marks of empty newsgroups in the active file.  This command now
      makes the low water mark one more than the real high water mark.  The
      answers to LIST ACTIVE, GROUP and LISTGROUP have also been fixed to do
      that.

    * Support for bzip2-compressed batches (with bunbatch) has been added.

    * news.daily now processes innfeed dropped files during daily
      maintenance, running procbatch.

    * Support for *runasuser* and *runasgroup* parameters in inn.conf allows
      setting the news user and the news group under which the news server
      runs.  Thanks to Ivan Shmakov for this feature.

      New other options have been added to configuration files:  *ignore* in
      incoming.conf, *logstatus*, *nnrpdflags* and *verifygroups* in
      inn.conf, and *log-time-format* in innfeed.conf.

      The --with-http-dir option has also been added to "configure" to set
      *pathhttp* in inn.conf.

      The *nntpactsync* parameter has been renamed to *incominglogfrequency*
      in inn.conf.

    * The sasl.conf file has been removed in favour of new parameters in
      inn.conf to deal with TLS support:  *tlscafile*, *tlscapath*,
      *tlscertfile* and *tlskeyfile*.

    * The overview.fmt file has been removed in favour of new parameters in
      inn.conf to deal with transition periods to accommodate overview
      reconfigurations.  It is now possible to specify on the one hand the
      fields that should be advertised by nnrpd in response to LIST
      OVERVIEW.FMT and used for HDR, XHDR and XPAT requests (see the new
      *extraoverviewadvertised* parameter) and on the other hand the
      additional fields that should be silently generated (see the new
      *extraoverviewhidden* parameter).

    * Support for Berkeley DB versions prior to 4.3 has been dropped.  You
      will have to use at least Berkeley DB 4.4; the recommended version is
      4.7.

    * INN now builds entirely free of warnings from GCC with fairly
      aggressive warning options enabled.  This involved lots of cleanup of
      const strings, signed versus unsigned type handling, correcting printf
      formats, and other changes that fixed obscure bugs and made INN's code
      more robust.  Russ Allbery has also done considerable cleanup work on
      some of INN's internals, simplifying, refactoring, and removing
      duplicate code.

    * INN's test suite is now much more comprehensive and tests some
      high-level functions as well as more of the portability and utility
      function layer.

    * A lot of work has been done on documentation:  improvements of
      existing documents, new documentation, and proof-reading.  Sample
      configuration files are also more detailed.

Changes in 2.4.6

    * Fixed the segfault of the radius authenticator when none of the radius
      servers respond.  Thanks to Matija Nalis for this patch.

    * Fixed a lost initialization in buffindexed, which resolves a potential
      segfault, thanks to a patch by Kirill Berezin.

    * INN now properly supports Perl 5.10.0 (and also 5.8.9); Perl filters
      were causing innd to segfault on a few systems like FreeBSD.

    * Fixed a long-standing bug which affected Perl hooks for innd: the
      variable containing the body of an article was not properly created,
      which caused regular expressions matching new lines to fail.  It
      especially affected filters like Cleanfeed which sometimes failed to
      detect unwanted articles.

      To fix that issue, Julien Elie added the use of a shared string,
      available since Perl 5.7.2, with a fall back to a slower but reliable
      copy of such bodies in case the function is not available.  Using a
      Perl version superior to 5.7.2 is therefore recommended.

    * Fixed two bugs which could prevent nnrpd from being run as a daemon in
      FreeBSD.  Thanks to Johan van Selst for having identified the problem
      and to Kai Gallasch for having provided a testing FreeBSD server.  The
      listening address was not initialized to "::0" or 0.0.0.0 when the -b
      flag was not used and an incorrect size was given when IPv6 was
      enabled and the binding done using IPv4.

    * Some annoying assertion failures occurring in innfeed have been fixed
      by Russ Allbery and Julien Elie.

    * Fixed a bug in mod-active for aliased newsgroups.  Only "=" was
      written to the active file.  Thanks to D. Stussy for this patch.

    * Fixed a bug which caused innd not to honour the Ad flag in newsfeeds.

    * Fixed a bug in the IP address displayed for "localhost" in innd's
      status file.  It was not correctly initialized.

    * Fixed a permission issue:  XHDR and XPAT were not checking the rights
      the user had to read articles when accessing them by their message-ID.

    * Fixed a bug in the replies of XHDR, XOVER and XPAT when the newsgroup
      is empty.  Two initial replies were sent instead of one:  the right
      420 code followed by a wrong 224 code.

    * When no newsgroup is selected, LISTGROUP now returns the right 412
      code (instead of 481).

    * inncheck now uses a range of permissions to see whether the file modes
      are correctly set.  Therefore, different configurations depending on
      the security the user wants to enforce on his system are possible.

    * A new improved version of docheckgroups is shipped with INN.  The -u
      flag permits updating automatically the newsgroups file (with a proper
      number of tabulations and an alphabetical sort), removing obsolete
      descriptions and adding new ones.  A second argument on command-line
      permits specifying which newsgroups should not be checked, so as not
      to treat them.

    * An *email=* keyword has been added by James Ralston to news.daily in
      order to supply another mail address than the one set at configure
      time for Usenet daily reports.

    * An updated moderators file with information about the aioe.*, perl.*
      and si.* hierarchies is provided; control.ctl is also up to date.

    * INN supports Berkeley DB 4.7, which is the recommended version to use
      owing to various bugs affecting previous versions of Berkeley DB.

    * Other minor bugs have also been fixed.

Changes in 2.4.5

    * Fixed the "alarm signal" around "SSL_read" in nnrpd:  it allows a
      proper disconnection of news clients which were previously hanging
      when posting an article through a SSL connection.  Moreover, the
      *clienttimeout* parameter now works on SSL connections.  Thanks to
      Matija Nalis for the patch.

    * SO_KEEPALIVE is now implemented for SSL TCP connections on systems
      which support it, allowing system detection and closing the dead TCP
      SSL connections automatically after system-specified time.  Thanks to
      Matija Nalis for the patch.

    * Fixed a segmentation fault when an article of a size greater than
      remaining stack is retrieved via SSL.  Thanks to Chris Caputo for this
      patch.

    * Fixed a few segfaults and bugs which affected both Python innd and
      nnrpd hooks.  They no longer check the existence of methods not used
      by the hooked script.  An issue with Python exception handling was
      also fixed, as well as a segfault fixed by Russ Allbery which happened
      whenever one closes and then reopens Python in the same process. 
      Julien Elie also fixed a bug when reloading Python filters (they were
      not always correctly reloaded) and a segfault when generating access
      groups with embedded Python filters for nnrpd.  Many thanks to David
      Hlacik for its bug reports.

    * The nnrpd.py stub file in order to test Python nnrpd hooks, as
      mentioned in their documentation, is now installed; only INN.py was
      previously installed in *pathfilter*.  Also fixed a bug in INN.py and
      add missing methods to it.

    * Fixed a long-standing bug in innreport which prevented it from
      correctly reporting nnrpd and innfeed log messages.

    * Fixed a hang in Perl hooks on (at least) HP/PA since Perl 5.10.

    * Fixed a compilation problem on some platforms because of AF_INET6
      which was not inside a HAVE_INET6 block in innfeed.

    * Fixed a bug in innfeed which contained thrice the same IPs for each
      peer; it unnecessarily slowed the peer IP rotation for innfeed. 
      Thanks, D. Stussy, for having seen that.  Miquel van Smoorenburg
      provided the patch.

    * A new *heavily* improved version of pullnews is shipped with this INN
      release.  This new version is provided by Geraint Edwards.  He added
      no more than 16 flags, fixed some bugs and integrated the backupfeed
      contrib script by Kai Henningsen, adding again 6 other flags.  A
      long-standing but very minor bug in the -g option was especially fixed
      and items from the to-do list implemented.  Many thanks again to
      Geraint Edwards.

    * New headers are accessible through Perl and Python innd filtering
      hooks.  You will find the exact list in the INN Python Filtering and
      Authentication Hooks documentation (doc/hook-python) and in Python
      samples.  Thanks to Matija Nalis for this addition of new useful
      headers.

    * New samples for Python nnrpd hooks are shipped with INN: 
      nnrpd_access.py for access control and nnrpd_dynamic.py for dynamic
      access control.  The nnrpd_auth.py script is now only used for
      authorization control.  See the readers.conf man page for more
      information (especially the *python_auth*, *python_access* and
      *python_dynamic* parameters).  The documention about INN Python
      Filtering and Authentication Hooks has also been improved by Julien
      Elie.

Changes in 2.4.4

    * Fixed incomplete checking of packet sizes in the ctlinnd interface in
      the no-Unix-domain-sockets case.  This is a potential buffer overflow
      in dead code since basically all systems INN builds on support Unix
      domain sockets these days.  Also track the buffer size more correctly
      in the client side of this interface for the Unix domain socket case.

    * Group blocks in incoming.conf are now correctly parsed and no longer
      cause segfaults when loading this file.

    * Fixed a problem with innfeed continuously segfaulting on amd64
      hardware (and possibly on lots of 64-bit platforms).  Many thanks to
      Ollivier Robert for his patch and also to Kai Gallasch for having
      reported the problem and provided the FreeBSD server to debug it.

    * scanlogs now rotates innfeed's log file, which prevents innfeed from
      silently dying when its log file reaches 2 GB.

    * Perl 5.10 support has been added to INN thanks to Jakub Bogusz.

    * Some news clients hang when posting an article through a SSL
      connection: it seems that nnrpd's SSL routines make it wrongly wait
      for data completion.  In order to fix the problem, the select() wait
      is now just bypassed.  However, the IDLE timer stat is currently not
      collected for such connections.  Thanks to Kachun Lee for this
      workaround.

    * Fixed a bug in the display of the used compressor ("cunbatch" was used
      if arguments were passed to gzip or bzip2).

    * Fixed a bug in mailpost and pullnews which prevented useful error
      messages to be seen.  Also add the -x flag to pullnews in order to
      insert Xref: headers in articles which lack one.

    * If compiling with Berkeley DB, use its ndbm compatibility layer for
      ckpasswd in preference to searching for a traditional dbm library. 
      INN also supports Berkeley DB 4.4, 4.5 and 4.6 thanks to Marco d'Itri.

    * ovdb_init now properly closes stdin/out/err when it becomes a daemon. 
      The issue was reported by Viktor Pilpenok and fixed by Marco d'Itri.

    * Added support for Diablo quickhash and hashfeed algorithms.  It allows
      distributing the messages among several peers (new Q flag for
      newsfeeds).  Thanks to Miquel van Smoorenburg for this implementation
      in INN.

    * innd now listen on separate sockets for IPv4 and IPv6 connections if
      the IPV6_V6ONLY socket option is available.  There might also be
      operating systems that still have separate IPv4 and IPv6 TCP
      implementations, and advanced features like TCP SACK might not be
      available on v6 sockets.  Thanks to Miquel van Smoorenburg for this
      patch.

    * The two configuration options *bindaddress* and *bindaddress6* can now
      be set on a per-peer basis for innfeed.  Setting *bindaddress6* to
      "none" tells innfeed to never attempt an IPv6 connection to that host.
      Thanks to Miquel van Smoorenburg for this patch.

    * Added a *nnrpdflags* parameter to inn.conf (modelled on the concept of
      *innflags*) to permit passing of command line arguments to instances
      of nnrpd spawned from innd.

    * A new inn.conf parameter called *pathcluster* has been added: it
      allows appending a common name to the Path: header on all incoming
      articles.  *pathhost* and *pathalias* (if set) are still appended to
      the path as usual, but *pathcluster* is always appended as the last
      element (e.g. on the leftmost side of the Path: header).  Thanks to
      Miquel van Smoorenburg for this feature.

    * simpleftp has been rewritten to use "Net::FTP".  Indeed, ftp.pl is no
      longer shipped with Perl 5 and the script did not work.

    * perl-nocem will now check for a timeout and re-open the socket if
      required.  Additionally, perl-nocem will switch to cancel_ctlinnd in
      case cancel_nntp fails after sending the Message-ID.  Thanks to
      Christoph Biedl for the patch.  A more detailed documentation has also
      been written for perl-nocem(8).

    * The RADIUS configuration is now wrapped in a "server {}" block in
      radius.conf.

    * Checkgroups when there is nothing to change no longer result in
      sending a blank mail to administrators.  Besides, no mail is sent by
      controlchan for the creation of a newsgroup when the action is "no
      change".

    * Checkgroups are now properly propagated even though the news server
      does not carry the groups they are posted to.

    * controlchan and docheckgroups now handle wire format messages so that
      articles from the spool can be directly fed to them.

    * Newgroup control messages for existing groups now change their
      description.  If a mail is sent to administrators, it reminds them to
      update their newsgroups file.  It also warns when there are missing or
      obsolete descriptions.  Furthermore, the newsgroups file is now
      written prettier (from one to three tabulations between the name of
      the group and its short description) and to.* groups cannot be
      created.

    * The sample control.ctl file has been extensively updated.

    * Fixed empty LISTGROUP replies which were not terminated.  Thanks to
      David Canzi for the patch.

    * In response to a LIST [file] command, if the file does not exist, we
      assume it is not maintained and return 503 instead of 215 and an empty
      file.  Moreover, capability to LIST ACTIVE.TIMES for a wildmat pattern
      as its third argument has been added in order to select wanted
      newsgroups.

    * inews now tries to authenticate if it does not receive a 200 return
      code after MODE READER.  Indeed, it might be able to post even with a
      201 return code and also with another codes like 440 or 480.

    * If creating a new history file, set the ownership and mode
      appropriately.  inncheck also expects fewer things to be private to
      the news user.  Most of the configuration files will never contain
      private information like passwords.

    * Other minor bug fixes and documentation improvements.

Changes in 2.4.3

    * Previous versions of INN had an optimization for handling XHDR
      Newsgroups that used the Xref: header from overview.  While this does
      make the command much faster, it doesn't produce accurate results and
      breaks the NNTP protocol, so this optimization has been removed.

    * Fixed a bug in innd that allowed it to accept articles with duplicated
      headers if the header occurred an odd number of times.  Modified the
      programs for rebuilding overview to use the last Xref: header if there
      are multiple ones to avoid problems with spools that contain such
      invalid articles.

    * Fixed yet another problem with verifying that a user has permissions
      to approve posts to a moderated group.  Thanks, Jens Schlegel.

    * Increase the send and receive buffer on the Unix domain socket used by
      ctlinnd.  This should allow longer replies (particularly for innstat)
      on platforms with very low default Unix domain socket buffer sizes.

    * rnews's handling of articles with nul characters, NNTP errors, header
      problems, and deferrals has been significantly improved.

    * Thomas Parmelan added support to send-uucp for specifying the funnel
      or exploder site to flush for feeds managed through one and fixed a
      problem with picking up old stranded work files.

    * Many other more minor bug fixes, optimization improvements, and
      documentation fixes.

Changes in 2.4.2

    * INN is now licensed under a less restrictive license (about as
      minimally restrictive as possible shy of public domain), and the
      clause similar to the old BSD advertising clause has been dropped.

    * "make install" and "make update" now always install the newly built
      binaries, rather than only installing them if the modification times
      are newer.  This is the behavior that people expect.  "make install"
      now also automatically builds a new (empty) history database if one
      doesn't already exist.

    * The embedded Tcl filter code has been disabled (and will be removed
      entirely in the next major release of INN).  It hasn't worked for some
      time and causes innd crashes if compiled in (even if not used).  If
      someone wants to step forward and maintain it, I recommend starting
      from scratch and emulating the Perl and Python filters.

    * ctlinnd should now successfully handle messages from INN up to the
      maximum allowable packet size in the protocol, fixing problems sites
      with many active peers were having with innstat output.

    * Overview generation has been fixed in both makehistory and innd to
      follow the rules in the latest NNTP draft rather than just replacing
      special characters with spaces.  This means that the unfolding of
      folded header lines will not introduce additional, incorrect
      whitespace in the overview data.

    * nnrpd now uniformly responds with a 480 or 502 status code to attempts
      to read a newsgroup to which the user does not have access, depending
      on whether the user has authenticated.  Previously, it returned a 411
      status code, claiming the group didn't exist, which confuses the
      reactive authentication capability of news readers.

    * If a user is not authorized to approve articles (using the "A"
      *access* control in readers.conf), articles that include Approved:
      headers will be rejected even if posted to unmoderated groups.  Some
      other site may consider that group to be moderated.

    * The configuration parser used for readers.conf and others now
      correctly handles "#" inside quoted strings and is more robust against
      unmatched double quotes.

    * Messages mailed to moderators had two spaces after the colons in the
      headers, rather than one.  This bug has been fixed.

    * A bug that could cause heap corruption and random crashes in innd if
      INN were compiled with Python support has been fixed.

    * Some problems with innd's tracking of article size and enforcement of
      the configured maximum article size have been fixed.

    * pgpverify will now correctly verify signatures generated by GnuPG and
      better supports GnuPG as the PGP implementation.

    * INN's code should now be more 64-bit clean in its handling of size_t,
      pointer differences, and casting of pointers, correcting problems that
      showed up on 64-bit platforms like AMD64.

    * Improved the error reporting in the history database code, in inews,
      in controlchan, and in expire.

    * Many other, more minor bugs have also been fixed.

Changes in 2.4.1

    * SECURITY:  Handle the special filing of control messages into per-type
      newsgroups more robustly.  This closes a potentially exploitable
      buffer overflow.  Thanks to Dan Riley for his excellent bug report.

    * Fixed article handling in innd so that articles without a Path: header
      (arising from peers sending malformatted articles or injecting
      malformatted articles through rnews) would not cause innd to crash. 
      (This was not exploitable.)

    * Fixed a serious bug in XPAT handling, thanks to Tommy van Leeuwen.

    * "configure" now looks for sendmail only in /usr/sbin and /usr/lib, not
      on the user's path.  This should reduce the need for --with-sendmail
      if your preferred sendmail is in a standard location.

    * The robustness of the tradindexed overview method has been further
      increased, handling more edge cases arising from corrupted databases
      and oddly-named newsgroups.

    * innd now never decreases the high water mark of a newsgroup when
      renumbering, which should help ameliorate overview and active file
      synchronization problems.

    * Do not close and reopen the history file on ctlinnd reload when the
      server is paused or throttled.  This was breaking ctlinnd reload all
      during a server pause.

    * Various minor portability and compilation issues fixed.  Substantial
      numbers of compiler warnings have been cleaned up, thanks largely to
      work by Ilya Kovalenko.

    * Multiple other more minor bugs have been fixed.

    * Documentation and man pages have been clarified and updated.

Upgrading from 2.3 to 2.4

    The inn.conf parser has changed between INN 2.3 and 2.4.  Due to that
    change, options in inn.conf that contain whitespace or a few other
    special characters must be quoted with double quotes, and empty
    parameters (parameters with no value) are not allowed.  INN 2.4 comes
    with a script, innupgrade, run automatically during "make update", that
    will attempt to fix any problems that it finds with your inn.conf file,
    saving the original as inn.conf.OLD.

    This change is the beginning of standardization of parsing and syntax
    across all of INN's configuration files.

    The history subsystem now has a standard API that allows other backends
    to be used.  Because of this, you now need to specify the history method
    in inn.conf.  Adding:

        hismethod: hisv6

    will tell INN to use the same history backend as was used in previous
    versions.  innupgrade should take care of this for you.

    ovdb is known to have some locking and timing issues related to how
    nnrpd shuts down (or fails to shut down) the overview databases.  If you
    have stability problems with ovdb, try setting *readserver* to true in
    ovdb.conf.  This will funnel all ovdb reads through a single process
    with a cleaner interface to the underlying Berkeley DB database.

    If you use Perl authentication for nnrpd (if *nnrpdperlauth* in inn.conf
    is true), there have been major changes.  See "Changes to Perl
    Authentication Support for nnrpd" in doc/hook-perl for details.

    Similarly, if you use Python authentication for nnrpd (if
    *nnrpdpythonauth* in inn.conf is true), there have been major changes. 
    See "Changes to Python Authentication and Access Control Support for
    nnrpd" in doc/hook-python for details.

    If you use send-uucp, it has been completely rewritten and now takes a
    configuration file to specify its behavior.  See its man page for more
    information.  If you use sendbatch, it is no longer included in INN
    since the new send-uucp can handle all of the same functionality.

    The wildmat API has been renamed (to uwildmat and friends; see
    uwildmat(3) for the interfaces) to distinguish it from Rich $alz's
    original version, since it now supports UTF-8.  This may require changes
    in other software packages that link against INN's libraries.

    If you are upgrading from a version prior to INN 2.3, see "Upgrading
    from 2.2 to 2.3".

Changes in 2.4.0

    * IPv6 support has been added, disabled by default.  If you have IPv6
      connectivity, build with --enable-ipv6 to try it.  There are no known
      bugs, but please report any problems you find (or even successes, if
      you use an unusual platform).  There are a few changes of interest;
      further information is available in doc/IPv6-info.

    * The tradindexed overview method has been completely rewritten and
      should be considerably more robust in the face of system crashes.  A
      new utility, tdx-util, is provided to examine the contents of the
      overview database, repair inconsistencies, and rebuild the overview
      for particular groups from a tradspool news spool.  See tdx-util(8)
      for more details.

    * The Perl and Python authentication hooks for readers have been
      extensively overhauled and integrated better with readers.conf.  See
      the Changes sections in doc/hook-perl and doc/hook-python for more
      details.

    * nnrpd now optionally supports article injection via IHAVE, see
      readers.conf(5).  Any articles injected this way must have Date, From,
      Message-ID, Newsgroups, Path, and Subject headers.  X-Trace and
      X-Complaints-To headers will be added if the appropriate options are
      set in readers.conf, but other headers will not be modified/inserted
      (e.g.  NNTP-Posting-Host, NNTP-Posting-Date, Organization, Lines, Cc,
      Bcc, and To headers).

    * nnrpd now handles arbitrarily long lines in POST and IHAVE;
      administrators who want to limit the length of lines in locally posted
      articles will need to add this to their local filters instead.

    * nnrpd no longer handles the poorly-specified RFC 977 optional fourth
      argument to the NEWGROUPS command specifying the "distributions" that
      the command was supposed to apply to.

      Clients that use that argument will break.  There are not believed to
      be any such clients, and it's easy enough to just filter the returned
      list of newsgroups (which is generally fairly short) to achieve the
      same results.

    * nnrpd no longer accepts UTC as a synonym for GMT for NEWGROUPS or
      NEWNEWS.  This usage was never portable, and was rejected by the NNTP
      working group.  It is being removed now in the hope that it will be
      caught before anyone starts to rely on it.

    * innfeed supports a new peer parameter, *backlog-feed-first*, that if
      set to true feeds any backlog to a peer before new articles, see
      innfeed.conf(5).  When used in combination with *max-connections* set
      to 1, this can be used to enforce in-order delivery of messages to a
      peer that is doing Xref slaving, avoiding cases where a
      higher-numbered message is received before a lower-numbered message in
      the same group.

    * Several other, more minor protocol issues have been fixed: 
      connections rejected due to the connection rate limiting in innd
      receive 400 replies instead of 504 or 505, and ARTICLE without an
      argument will always either retrieve the current article or return a
      423 error, never advance the current article number to the next valid
      article.

      See doc/compliance-nntp for all of the known issues with INN's
      compliance with the current NNTP draft.

    * All accesses to the history file for all parts of INN now go through a
      generic API like the storage and overview subsystems do.  This will
      eventually allow new history implementations to be dropped in without
      affecting the rest of INN, and will significantly improve the
      encapsulation of the history subsystem.  See the libinnhist(3) man
      page for the details of the interface.

    * INN now uses a new parser for the inn.conf file.  This means that
      parameters containing whitespace or other special characters must now
      be quoted; see inn.conf(5).  It fixes the long-standing bug that
      certain values must be included in inn.conf even if using the defaults
      for the use of shell or Perl scripts, and it will serve as the basis
      for standardizing and cleaning up the configuration file parsing in
      other parts of INN.  innupgrade is run during "make update" and should
      convert an existing inn.conf file for you.

    * send-uucp has been replaced by a completely rewritten version from
      Marco d'Itri, Edvard Tuinder, and Miquel van Smoorenburg, which uses a
      configuration file that specifies batch sizes, compression methods,
      and hours during which batches should be generated.  The old sendbatch
      script has been retired, since send-uucp can now handle everything
      that it did.

    * Two "configure" options have changed names:  --with-tmp-path is now
      --with-tmp-dir, and --with-largefiles is now --enable-largefiles, to
      improve consistency and better match the "autoconf" option guidelines.

    * Variables can now be used in the newsfeeds file to make it easier to
      specify many similar feeds or feed patterns.  See the newsfeeds(5) man
      page for details.

    * Local connections to INN support a new special mode, MODE CANCEL, that
      allows efficient batch cancellation of messages.  This is intended to
      be the preferred interface for external spam and abuse filters like
      NoCeM.  See "CANCEL FEEDS" in innd(8) for details.

    * Two new options, *nfsreader* and *nfswriter*, have been added to
      inn.conf to aid in building NFS based shared reader/writer platforms. 
      On the writer server configure *nfswriter* to true and on all of the
      readers configure *nfsreader* to true; these options add calls to
      force data out to the NFS server and force it to be read directly from
      the NFS server at the appropriate moments.  Note that it has only been
      tested on Solaris 8, using CNFS as the storage mechanism and
      tradindexed as the overview method.

    * A new option, *tradindexedmmap*, has been added to inn.conf.  If set
      to true (the default), then the tradindexed overview method will use
      mmap() to access its overview data (in 2.3 you couldn't control this;
      it always used mmap).

    * Thanks to code contributed by CMU, innfeed can now feed an IMAP server
      as well as other NNTP servers.  See the man page for innfeed(8) for
      more information.

    * An authenticator, auth_smb, that checks a username and password
      against a remote Samba server is now included.  See auth_smb(8) for
      details.

    * The wildmat functions in INN now support UTF-8, in a way that should
      allow them to still work with most simple 8-bit character sets in
      widespread use.  As part of this change, some additional wildmat
      interfaces are now available and the names have changed (to uwildmat,
      where "u" is for Unicode).  See uwildmat(3) for the details.

    * The interface between external authenticators and nnrpd is now
      properly documented, in doc/external-auth.  A library implementing
      this interface in C is provided, which should make it easier to write
      additional authenticators resolvers.  See libauth(3) for details, and
      any of the existing programs in authprogs/ for examples.

    * INN now checks to ensure that the configured temporary directory is
      not world-writeable.  Additionally, most (if not all) of the temporary
      file creation in INN now uses functions that create temporary files
      properly and safely.

    * All of the applicable bug fixes from the INN 2.3 STABLE series are
      also included in INN 2.4.

Changes in 2.3.5

    * Clients using POST are no longer permitted to provide an
      Injector-Info: header.

    * Fixed a bug causing posts with Followup-To: set to a moderated group
      to be rejected if the posting user didn't have permission to approve
      postings.

    * Fixed bugs in inncheck with setuid rnews or setgid inews, in
      innconfval with inn.conf parameters containing shell metacharacters
      but no spaces, and in parsedate.y with some versions of yacc.  Fixed a
      variety of size-related printf format warnings (e.g., %d vs. %ld)
      thanks to the work of Winfried Szukalski.

Changes in 2.3.4

    * LIST ACTIVE no longer returns data when given a single group argument
      if the client is not authorized to read that group.

    * XHDR and XPAT weren't correctly parsing article headers, resulting in
      searches for the header "newsgroup" matching the header "newsgroups".

    * Made CNFS more robust against crashes by actually syncing the cycbuff
      headers to disk as was originally intended.  Fixed a memory leak in
      the tradspool code.

    * Two bugs in pgpverify when using GnuPG were fixed:  it now correctly
      checks for gpgv (rather than pgp) when told to use GnuPG and expects
      the keyring to be pubring.gpg (not pubring.pgp).

    * Substantial updates to the sample provided control.ctl file.

    * Compilation fixes with Perl 5.8.0, Berkeley DB 4.x, current versions
      of Linux (including with large file support), and Tru64.  inndf fixes
      for ReiserFS.

    * Various bugs in the header handling in nnrpd have been fixed,
      including hangs when using virtual domains and improper processing of
      folded headers under certain circumstances.

    * Other minor bug fixes and documentation improvements.

Changes in 2.3.3

    * pgpverify now supports using GnuPG to check signatures (rather than
      PGP) without the pgpgpg wrapper.  GnuPG can check both old-style RSA
      signatures and new OpenPGP signatures and is recommended over PGP 2.6.
      If you have GnuPG installed, pgpverify will use it rather than PGP,
      which means that you may have to create a new key ring for GnuPG to
      use to verify signatures if you were previously using PGP.

    * Users can no longer post articles containing Approved: headers to
      moderated groups by default; they must be specifically given that
      permission with the *access* parameter in readers.conf.  See the man
      page for more details.

    * Two bugs in repacking overview index files and a reliability bug with
      writing overview data were all fixed in the tradindexed overview
      method, hopefully making it somewhat more reliable, particularly for
      makehistory.

    * If rc.news.local exists in the INN binary directory, it will be run
      with the start or stop argument whenever rc.news is run.  This is
      available as a hook for local startup and shutdown code.

    * The default history table hash sizes were increased because a
      too-small value can cause serious performance problems (whereas a
      too-large hash just wastes a bit of disk space).

    * The sample control.ctl file has been extensively updated.

    * Wildmat exclusions ("@" and "!") should now work properly in
      storage.conf newsgroup patterns.

    * The implementation of the -w flag for expireover was fixed;
      previously, the value given to -w to change expireover's notion of the
      current time was scaled by too much.

    * Various other more minor bug fixes, standards compliance fixes, and
      documentation improvements.

Changes in 2.3.2

    * innxmit can again handle regular filenames as input as well as storage
      API tokens (allowing it to be used to import an old traditional
      spool).

    * Several problems with tagged-hash history files have been fixed thanks
      to the debugging efforts of Andrew Gierth and Sang-yong Suh.

    * A very long-standing (since INN 1.0!) NNTP protocol bug in nnrpd was
      fixed.  The response to an ARTICLE command retrieving a message by
      Message-ID should have the Message-ID as the third word of the
      response, not the fourth.  Fixing this is reported to *possibly* cause
      problems with some Netscape browsers, but other news servers correctly
      follow the protocol.

    * Some serious performance problems with expiration of tradspool should
      now be at least somewhat alleviated.  tradspool and timehash now know
      how to output file names for removal rather than tokens, and fastrm's
      ability to remove regular files has been restored.  This should bring
      expiration times for tradspool back to within a factor of two of
      pre-storage-API expiration times.

    * Added a sample subscriptions file and documentation for it and
      innmail.

    * Various other bug fixes and documentation updates.

Changes in 2.3.1

    * inews no longer downloads the active file, no longer tries to send
      postings to moderated groups to the moderator directly, and in general
      duplicates less of the functionality of nnrpd, instead letting nnrpd
      handle it.  This fixes the problem of inews not working properly for
      users other than news without being setgid.

    * Added a man page for ckpasswd.

    * A serious bug in the embedded Perl authentication hooks was fixed,
      thanks to Jan Rychter.

    * The annoying compilation problem with embedded Perl filtering on Linux
      systems without libgdbm installed should be fixed.

    * INN now complains loudly at configure time if the configured path for
      temporary files is world-writeable, since this configuration can be a
      security hole.

    * Many other varied bug fixes and documentation fixes of all sorts.

Upgrading from 2.2 to 2.3

    There may be additional things to watch out for not listed here; if you
    run across any, please let <inn-bugs@isc.org> know about them.

    Simply doing a "make update" is not sufficient to upgrade; the history
    and overview information will also have to be regenerated, since the
    formats of both files have changed between 2.2 and 2.3.  Regardless of
    whether you were using the storage API or traditional spool under 2.2,
    you'll need to rebuild your overview and history files.  You will also
    need to add a storage.conf file, if you weren't using the storage API
    under INN 2.2.  A good default storage.conf file for 2.2 users would be:

        method tradspool {
            newsgroups: *
            class: 0
        }

    Create this storage.conf file before rebuilding history or overview.

    If you want to allow readers, or if you want to expire based on
    newsgroup name, you need to tell INN to generate overview data and pick
    an overview method by setting *ovmethod* in inn.conf.  See INSTALL and
    inn.conf(5) for more details.

    The code that generates the dbz index files has been split into a
    separate program, makedbz.  makehistory still generates the base history
    file and the overview information, but some of its options have been
    changed.  To rebuild the history and overview files, use something like:

        makehistory -b -f history.n -O -T /usr/local/news/tmp -l 600000

    (change the /usr/local/news/tmp path to some directory that has plenty
    of temporary space, and leave off -O if you're running a transit-only
    server and don't intend to expire based on group name, and therefore
    don't need overview.)  Or if your overview is buffindexed, use:

        makehistory -b -f history.n -O -F

    Both will generate a new history file as history.n and rebuild overview
    at the same time.  If you want to preserve a record of expired
    Message-IDs in the history file, run:

        awk 'NF==2 { print; }' < history >> history.n

    to append them to the new history file you created above.  Look over the
    new history file and make sure it looks right, then generate the new
    index files and move them into place:

        makedbz -s `wc -l < history.n` -f history.n
        mv history.n history
        mv history.n.dir history.dir
        mv history.n.hash history.hash
        mv history.n.index history.index

    (Rather than .hash and .index files, you may have a .pag file if you're
    using tagged hash.)

    For reader machines, nnrp.access has been replaced by readers.conf. 
    There currently isn't a program to convert between the old format and
    the new format (if you'd like to contribute one, it would be welcomed
    gratefully).  The new file is unfortunately considerably more complex as
    a result of its new capabilities; please carefully read the example
    readers.conf provided and the man page when setting up your initial
    configuration.  The provided commented-out examples cover the most
    common installation (IP-based authentication for all machines on the
    local network).

    INN makes extensive use of mmap(2) for the new overview mechanisms, so
    at the present time NFS-mounting the spool and overview on multiple
    reader machines from one central server probably isn't feasible in this
    version.  mmap tends to interact poorly with NFS (at the least, NFS
    clients won't see updates to the mapped files in situations where they
    should).  (The preferred way to fix this would, rather than backing out
    the use of mmap or making it optional, to add support for Diablo-style
    header feeds and pull-on-demand of articles from a master server.)

    The flags for overchan have changed, plus you probably don't want to run
    overchan at all any more.  Letting innd write overview data itself
    results in somewhat slower performance, but is more reliable and has a
    better failure mode under high loads.  Writing overview data directly is
    the default, so in a normal upgrade from 2.2 to 2.3 you'll want to
    comment out or remove your overchan entry in newsfeeds and set
    *useoverchan* to false in inn.conf.

    crosspost is no longer installed, and no longer works (even with
    traditional spool).  If you have an entry for crosspost in newsfeeds,
    remove it.

    If you're importing a traditional spool from a pre-storage API INN
    server, it's strongly recommended that you use NNTP to feed the articles
    to your new server rather than trying to build overview and history
    directly from the old spool.  It's more reliable and ensures that
    everything gets put into the right place.  The easiest way to do this is
    to generate, on your old server, a list of all of your existing article
    files and then feed that list to innxmit.  Further details can be found
    in the FAQ at <https://www.eyrie.org/~eagle/faqs/inn.html>.

    If you are using a version of Cleanfeed that still has a line in it
    like:

        $lines = $hdr{'__BODY__'} =~ tr/\n/\n/;

    you will need to change this line to:

        $lines = $hdr{'__LINES__'};

    to work with INN 2.3 or later.  This is due to an internal optimization
    of the interface to embedded filters that's new in INN 2.3.

Changes in 2.3.0

    * New readers.conf file (replaces nnrp.access) which allows more
      flexible specification of access restrictions.  Included in the sample
      implementations is a RADIUS-based authenticator.

    * Unified overview has been replaced with an overview API, and there are
      now three separate overview implementations to choose from.  One
      (tradindexed) is very like traditional overview but uses an additional
      index file.  The second (buffindexed) uses large buffers rather than
      separate files for each group and can handle a higher incoming article
      rate while still being fast for readers.  The third (ovdb) uses
      Berkeley DB to store overview information (so you need to have
      Berkeley DB installed to use it).  The *ovmethod* key in inn.conf
      chooses the overview method to use.

      Note that ovdb has not been as widely tested as the other overview
      mechanisms and should be considered experimental.

    * All article storage and retrieval is now done via the storage API. 
      Traditional spool is now available as a storage type under the storage
      API.  (Note that the current traditional spool implementation causes
      nightly expire to be extremely slow for a large number of articles, so
      it's not recommended that you use the tradspool storage method for the
      majority of a large spool.)

    * The timecaf storage method has been added, similar to timehash but
      storing multiple articles in a single file.  See INSTALL for details
      on it.

    * INN now supports embedded Python filters as well as Perl and Tcl
      filters, and supports Python authentication hooks.

    * There is preliminary support for news reading over SSL, using OpenSSL.

    * To simplify anti-abuse filtering, and to be more compliant with news
      standards and proposed standards, INN now treats as control messages
      only articles containing a Control: header.  A Subject: line beginning
      with "cmsg " is no longer sufficient for a message to be considered a
      control message, and the Also-Control: header is no longer supported.

    * The INN build system no longer uses subst.  (This will be transparent
      to most users; it's an improvement and modernization of how INN is
      configured.)

    * The build and installation system has been substantially overhauled. 
      "make update" now updates scripts as well as binaries and
      documentation, there is better support for parallel builds ("make
      -j"), there is less "make" recursion, and far more of the
      system-dependent configuration is handled directly by "autoconf". 
      libtool build support (including shared library support) should be
      better than previous releases.

    * All of the applicable bug fixes from the INN 2.2 STABLE series are
      also included in INN 2.3.

Changes in 2.2.3

    * INN no longer installs inews setgid news or rnews setuid root by
      default.  If you need the old behavior, --enable-uucp-rnews and/or
      --enable-setgid-inews must be given to "configure".  See INSTALL for
      more information.

    * A security hole when *verifycancels* is turned on in inn.conf (not the
      default) was fixed.

    * Message-IDs are now limited to 250 octets to prevent interoperability
      problems with other servers.

    * Various other security paranoia fixes have been made.

    * Embedded Perl filters fixed to work with Perl 5.6.0.

    * Lots of bug fixes.

Changes in 2.2.2

    * Various minor bug fixes and a Y2K bug fix.  The Y2K bug is in version
      version 2.2.1 only and will show up after Jan 1st, 2000 when a news
      reader issues a NEWNEWS command for a date prior to the year 2000.

Changes in 2.2.1

    * Various bug fixes, mostly notably fixes for potential buffer overflow
      security vulnerabilities.

Changes in 2.2.0

    * New storage.conf file (replaces storage.ctl).

    * New (optional) way of handling non-cancel control messages
      (controlchan) that serializes them and prevents server overload from
      control message storms.

    * Support for actsyncd to fetch active file with ftp; configured by
      default to use <ftp://ftp.isc.org/pub/usenet/CONFIG/active.Z> if you
      run actsyncd.  Be sure to read the manual page for actsync to
      configure an actsync.ign file for your site, and test simpleftp if you
      do not "configure" with wget or ncftp.  Also see
      <https://ftp.isc.org/pub/usenet/CONFIG/README>.

    * Some options to "configure" are now moved to inn.conf
      (*merge-to-groups* and *pgp-verify*, without the hyphen).

    * inndf, a portable version of df(1), is supplied.

    * New cnfsstat program to show stats of CNFS buffers.

    * news2mail and mailpost programs for gatewaying news to mail and mail
      to news are supplied.

    * pullnews program for doing a sucking feed is provided (not meant for
      large feeds).

    * The innshellvars.csh.in script is obsolete (and lives in the obsolete
      directory, for now).

    $Id: news.pod 10326 2019-02-04 14:22:34Z iulius $