Log Message:
update to 2.6.1. Excerpt from NEWS:

Upgrading from 2.5 to 2.6

The following changes require your full attention because a manual intervention \ 
may be needed:

    The name and location of the pullnews configuration file have changed. It is \ 
now pullnews.marks, located in pathdb when pullnews is run as the news user, or \ 
otherwise in the running user's home directory. This file was previously stored \ 
in .pullnews in the running user's home directory (even for the news user). If \ 
you use pullnews, you need to manually move and rename the configuration file; \ 
otherwise, it will no longer work. Note that the -c flag passed to pullnews \ 
allows to specify another configuration file, if need be.

    The default location of the mailpost database directory has changed from \ 
pathtmp to pathdb. If you use mailpost without an explicitly specified database \ 
directory (using the -b flag), then you should manually move your current \ 
database files mailpost-msgid.dir and mailpost-msgid.pag from pathtmp to pathdb.

    If you have been using TLS/SSL with nnrpd before, be aware that the default \ 
value of a few inn.conf parameters have changed: the server now decides the \ 
preferred cipher (instead of the client), and only TLS protocols are allowed \ 
(using the flawed SSLv2 and SSLv3 protocols is now disabled). If you want to \ 
change these settings, the respective tlspreferserverciphers and tlsprotocols \ 
parameters can be tuned to your needs.

    The --with-kerberos configure flag used to add Kerberos v5 support has been \ 
renamed to --with-krb5.

    The --with-berkeleydb configure flag used to add Berkeley DB support has \ 
been renamed to --with-bdb.

    The --enable-ipv6 configure flag no longer exists. IPv6 is now \ 
unconditionally enabled, if available.

    $HOME is no longer exported as an environment variable by innshellvars, \ 
innshellvars.tcl and the Perl module INN::Config. It was previously overriding \ 
the default user home directory with pathnews. If you use these scripts in your \ 
own scripts, you will have to take care of that change.

    Owing to the implementation of RFC 4643 (AUTHINFO USER/PASS) in innd, if \ 
remote peers have to authenticate in order to feed articles, they now have to \ 
send a username (which was previously wrongly optional), before sending their \ 
password. The mandatory username, though currently unused by innd, can be \ 
whatever the remote peer wishes. In previous versions of INN, inncheck was \ 
already complaining when passwd.nntp contained an empty username associated with \ 
a password.

    A manual review of authenticated feeds should then be done so as to ensure \ 
that they are properly working.

    The Injection-Date: and Injection-Info: headers are now generated by nnrpd \ 
at injection time instead of the NNTP-Posting-Date:, NNTP-Posting-Host:, \ 
X-Complaints-To: and X-Trace: headers. Local scripts that were using (for \ 
authentication, privacy, etc.) these now deprecated headers should be updated. \ 
Also note that the Path: header of locally posted articles can also contain the \ 
contents of the deprecated NNTP-Posting-Host: field.

    The two addnntppostingdate and addnntppostinghost parameters in inn.conf \ 
have been respectively renamed to addinjectiondate and addinjectionpostinghost. \ 
innupgrade takes care of the modification only for inn.conf; a manual change \ 
will therefore be needed for readers.conf, if these parameters are overridden in \ 
this file.

    The default values of a few inn.conf parameters have changed to make use of \ 
the vastly expanded storage and RAM commonly available today: datamovethreshold \ 
(from 8192 to 16384), msgidcachesize (from 16000 to 64000), overcachesize (from \ 
64 to 128), and wireformat (now enabled by default).

    The generation of status reports and performance timings are now also \ 
enabled by default: logstatus and nnrpdoverstats parameters, with a frequency of \ 
10 minutes (status and timer parameters).

    The default value of max-queue-size has changed from 5 to 20, and use-mmap \ 
now defaults to true for innfeed.conf.

Changes in 2.6.1

    nnrpd now uses -0000 as the time zone for Date: and Injection-Date: header \ 
fields it generates. It was previously using +0000, wrongly systematically \ 
indicating a local time zone at Universal Time when localtime is set to false \ 
(which is the default) in readers.conf. The +0000 time zone will now be used \ 
only if localtime is set to true and UTC is really the local time zone of the \ 
server.

    Julien Elie has implemented in nnrpd the new COMPRESS command described in \ 
draft-murchison-nntp-compress that extends the NNTP protocol to allow a \ 
connection to be effectively and efficiently compressed. News clients that also \ 
support that extension will be able to benefit from that bandwidth optimization \ 
and improvement in speed. Moreover, using COMPRESS is more secure than TLS-level \ 
compression, as far as authentication credentials are concerned.

    The default value for the tlscompression parameter in inn.conf has changed. \ 
TLS-level compression is now disabled by default, to comply with the best \ 
current practices for a secure use of TLS in application protocols like NNTP. \ 
Using the new COMPRESS command is recommended.

    The tlscompression parameter in inn.conf now also permits to disable \ 
TLS-level compression with OpenSSL 0.9.8. It previously had an effect only when \ 
OpenSSL 1.0.0 or later was used.

    rnews no longer segfaults at startup when started setuid news. Thanks to \ 
Marcus Jodorf for the bug report.

    Fixed slow nnrpd responses for a few NNTP commands. The TCP_NODELAY option \ 
was unconditionally set whereas only BSD/OS systems needed it. Thanks to \ 
Christian Mock for having discovered that.

    Articles containing a Received: or a Posted: header field are no longer \ 
rejected by nnrpd at injection time.

    Articles containing control characters or whitespace-only content lines in \ 
their headers are now rejected by nnrpd at injection time.

    OpenSSL 1.1.0 support has been added to INN.

    When an encryption layer is negotiated during a successful use of the \ 
STARTTLS command, or after a successful authentication using a SASL mechanism \ 
that negotiates an encryption layer, nnrpd now updates the permissions of the \ 
news client according to the new secure state of his connection (that is to say \ 
auth blocks in readers.conf using the require_ssl parameter are taken into \ 
account). Previously, only connections on a dedicated port (usually 563) were \ 
taking benefit from that parameter. Thanks to Steve Crook for the bug report.

    When a data integrity layer was negotiated during a successful SASL \ 
authentication, nnrpd was wrongly reseting any knowledge obtained from the \ 
client, such as the current newsgroup and article number. This behaviour now \ 
applies only when an encryption layer is negotiated.

    nntpsend now correctly waits until all of the child innxmit processes exit \ 
before it does. It was causing nntpsend to fail to work properly on systems that \ 
use systemd, because when it exits prematurely, systemd kills all of the \ 
processes it launched, including the innxmit processes. Thanks to Jonathan \ 
Kamens for the patch.

    Update from GNU Libtool 2.4.2 to 2.4.6.

    Other minor bug fixes and documentation improvements.
Changes in 2.6.0

    The NNTP protocol requires a username to be sent before a password when \ 
authentication is used. innd was wrongly allowing only a password to be sent by \ 
authenticated peers. See the note above for more details.

    The Lines: header is no longer generated by nnrpd at injection time.

    The Injection-Date: header is now generated by nnrpd at injection time \ 
instead of the deprecated NNTP-Posting-Date: header, when addinjectiondate is \ 
set to true. Note that addnntppostingdate has been renamed to addinjectiondate \ 
in inn.conf.

    The Injection-Info: header is now generated by nnrpd at injection time \ 
instead of the deprecated NNTP-Posting-Host: (when addinjectionpostinghost is \ 
set to true), X-Complaints-To: and X-Trace: headers. Note that \ 
addnntppostinghost has been renamed to addinjectionpostinghost in inn.conf. The \ 
Path: header of locally posted articles now also contains the contents of the \ 
NNTP-Posting-Host: header.

    A new addinjectionpostingaccount parameter has been added in inn.conf. When \ 
set to true, the Injection-Info: header field contains an additional \ 
posting-account attribute that mentions the username assigned to the user at \ 
connection time or after authentication. The default value for this parameter is \ 
false.

    A few headers are now considered as obsolete by nnrpd at injection time: \ 
NNTP-Posting-Date:, NNTP-Posting-Host:, X-Complaints-To:, X-Trace:, \ 
Also-Control:, Article-Names:, Article-Updates:, and See-Also: headers.

    Besides, nnrpd will similarly reject obsolete sendsys, senduuname and \ 
version control messages.

    The presence of a Subject: header field beginning with cmsg no longer causes \ 
an article to be interpreted as a control message by nnrpd at injection time.

    nnrpd no longer differentiates IHAVE from POST. Articles injected with IHAVE \ 
are now treated as though they were injected with POST. It means that if the \ 
previous behaviour of IHAVE was expected, innd should handle itself the \ 
connection instead of nnrpd.

    The name of the pullnews configuration file is now pullnews.marks located in \ 
pathdb when pullnews is run as the news user, or otherwise in the running user's \ 
home directory. It was previously stored in .pullnews in the running user's home \ 
directory (even for the news user).

    Fixed a leak of semaphores when using buffindexed. Thanks to Richard \ 
Kettlewell for having fixed the issue.

    Building with Libtool is no longer optional. The --enable-libtool option to \ 
configure has been removed.

    DESTDIR and non-root installs are now properly supported and documented in \ 
INSTALL. The make install, make update and make cert steps properly obey \ 
DESTDIR. Besides, it is no longer a requirement that the installation step be \ 
done by the superuser, as long as the user executing the install has supplied a \ 
DESTDIR value that points to a writable directory, and the person or process \ 
performing the install corrects the file ownerships when INN is installed on the \ 
system on which it's going to run. Thanks to James Ralston for this support.

    When building INN with Berkeley DB, Cyrus SASL, Kerberos v5, OpenSSL, or \ 
zlib support, no longer add standard locations to compiler and linker include \ 
flags. Such default paths are now added only if explicitly given to one or more \ 
of the --with-bdb, --with-bdb-include, --with-bdb-lib, --with-sasl, \ 
--with-sasl-include, --with-sasl-lib, --with-krb5, --with-krb5-include, \ 
--with-krb5-lib, --with-openssl, --with-openssl-include, --with-openssl-lib, \ 
--with-zlib, --with-zlib-include, or --with-zlib-lib configure flags (the flags \ 
ending with -include and -lib are new in INN 2.6.0).

    If the Berkeley DB, Cyrus SASL, Kerberos v5, or OpenSSL SSL and crypto \ 
libraries are found at configure time, INN will now be built with support for \ 
them unless respectively the --without-bdb, --without-sasl, --without-krb5, or \ 
--without-openssl flags are explicitly passed to configure.

    Note that it was already the default behaviour for zlib support when \ 
Berkeley DB support was also enabled.

    The configure flag --enable-reduced-depends has been added to request that \ 
library probes assume shared libraries are in use and dependencies of libraries \ 
should not be probed. It therefore tries to minimize the shared library \ 
dependencies of the resulting binaries on platforms with proper shared library \ 
dependencies. This is not enabled by default, and is of interest primarily to \ 
people building packages for distributions.

    Building INN with Python support now requires the use of Python 2.2.0 or \ 
later as the distutils.sysconfig module used was introduced with Python 2.2.0.

    The INN test suite driver is now fully synchronized with the upstream \ 
version of the C TAP Harness package maintained by Russ Allbery. Keeping the INN \ 
test suite driver up-to-date will be possible thanks to a new getc-tap-harness \ 
script in the support directory that automatically fetches the latest upstream \ 
changes.

    Similarly, the new getrra-c-util script permits to keep most of the utility \ 
and portability functions synchronized with the upstream version of the \ 
rra-c-util package maintained by Russ Allbery.

    Other minor bug fixes and documentation improvements.