inn-2.6.5-bp155.1.38

- Update to version 2.6.5:
  * A new step in INN development has been achieved with the migration of
    the INN project to GitHub.
  * An up-to-date nocem.ctl file is provided with this release.  You
    should manually update your nocem.ctl file with the new information
    recorded about NoCeM issuers, and make sure the right PGP keys are
    present on your system.
  * Up-to-date control.ctl and moderators files are provided with this
    release.  You should manually update them (notably for the fido7.*
    hierarchy).
  * Added a stricter validation of article numbers given in NNTP commands
    so that numbers superior to 2^31 are correctly considered invalid.
    Thanks to Richard Kettlewell for the patch.
  * Added a check in rc.news for the existence of the *pathrun* directory.
    INN won't start until this directory is writable.  Previously, it
    bailed out quickly after starting, without clear logs about why it
    failed.
  * Fixed parallel builds using "make -j".  Thanks to Richard Kettlewell
    for the path.
  * nnrpd now properly gathers timer statistics when a compression layer
    is active.
  * nnrpd now properly discards data received from a news client after a
    timeout when a TLS layer is active.  It previously tried to read
    incoming data before closing the socket, leading to decoding errors
    from an underlying compression or SASL layer.
  * innfeed and ovdb_stat now generate status reports in valid HTML
    syntax.
  * Fixed a bug in the buffindexed overview that prevented it from working
    on several systems, amongst them FreeBSD.  Unsupported, and useless,
    permission bits were given to semaphores.
  * Fixed the detection of library paths at configure time: multilib
    directories (lib32 or lib64) are now also used if they exist, even it
    the system does not use multilib.  It will notably fix the detection
    of the OpenSSL 3.0.0 library.
  * The *tlscertfile* parameter in inn.conf now permits the use of a
    complete certificate chain, instead of necessarily having to use
  * tlscafile* for additional certificates.
  * Added support for the new OpenSSL 3.0.0 API, which deprecated a few
    functions.
  * The inn.conf default value for *tlsprotocols* no longer contains TLS
    versions 1.0 and 1.1, which have been deprecated by RFC 8996.
  * A new inn.conf parameter has been added to tune the length of the
    queue of pending connections to innd, nnrpd and the "ovdb" overview
    storage method: the *maxlisten* parameter now permits configuring
    their listen backlog, whose previously hard-coded values were 128 for
    nnrpd and 25 for the others, which was not high enough for some uses.
    The default value is now 128 for all of them, and configurable in
    inn.conf.  Thanks to Kevin Bowling for the patch.
  * The name of seven man pages for routines built in libinn(3) are now
    prefixed with libinn_ so as not to consume namespace and conflict with
    other packages (notably, the list(3) and uwildmat(3) man pages are now
    named libinn_list(3) and libinn_uwildmat(3)).
  * Other minor bug fixes and documentation improvements, notably a
    revised installation checklist and a section summarizing the most used
    configuration at the beginning of a few complex man pages.
- delete inn-2.6.4.diff patch
- add inn-2.6.5.diff patch instead

- Update to version 2.6.4:
  + Bug Fix: nnrpd now adapts the length of the DH parameter used
    during a DHE key exchange so as to comply with the security
    level OpenSSL 1.1.0 or later expects.
  + New Features:
  * Added support for systemd notifications and socket
    activation. Use of more features provided by systemd,
    including more notifications, will come in future releases.
  * cnfsstat now also returns information about retired CNFS
    buffers: buffers mentioned in cycbuff.conf as a cycbuff but
    not declared in a metacycbuff.
  * Switch default innreport behaviour to the common practice of
    externalizing CSS into a separate file. Its name can be
    configured with the html_css_url parameter in innreport.conf.
    If this parameter is unset, the default innreport.css file
    name will be used and innreport will generate this CSS file
    for you. Previously generated reports are kept untouched,
    though, and will still contain inline CSS if you had not
    already set the html_css_url parameter in previous INN
    versions.
  * sm can now read and store any number of articles given in
    wire format on its standard input when both -s and -R are
    used. Only native format was previously possible.
  * Added new -a flag to rnews to disallow, if needed, the use of
    additional unpackers from the rnews.libexec sub-directory of
    pathbin (as set in inn.conf); only rnews and cunbatch will
    then be recognized as valid batch commands.
  * Added new -b flag to rnews to save rejected articles in the
    bad sub-directory of pathincoming (as set in inn.conf).
    Otherwise, rnews just logs and discards any articles that are
    rejected or cannot be parsed for some reason.
  * Added new -d flag to rnews to log via syslog the message-ID
    and the Path header body of each article rejected as a
    duplicate.
  * Added new --enable-hardening-flags configure-time option,
    enabled by default, to use hardening build flags like -fPIE
    and -fstack-protector-strong. This option can easily be
    disabled if the compiler or the platform does not support
    them well. More hardening build flags will eventually be
    added in future releases.
- Rename inn-2.6.3.diff to inn-2.6.4.diff.
- Use url in sources as far as possible.

- Added hardening to systemd service(s) (bsc#1181400). Modified:
  * inn.service

- Switch BuildRequires to python3-devel, to build using Python 3.

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- rename the list.3 manpage to list-inn.3 as it conflicts with the
  list.3 manpage from the man-pages 5.09 package [bnc#1178534]

- update to inn-2.6.3
  + Fixed the selection of the elliptic curve to use with OpenSSL 1.1.0 or
    later; NIST P-256 was enforced instead of using the most secure curve.
  + A new inn.conf parameter has been added to fine-tune the cipher suites
    to use with TLS 1.3:  the *tlsciphers13* now permits configuring them.
    A separate cipher suite configuration parameter is needed for TLS 1.3
    because TLS 1.3 cipher suites are not compatible with TLS 1.2, and
    vice-versa.  In order to avoid issues where legacy TLS 1.2 cipher
    suite configuration configured in the *tlsciphers* parameter would
    inadvertently disable all TLS 1.3 cipher suites, the inn.conf
    configuration has been separated out.
  + Fixed a regression since INN 2.6.1 that prevented articles with
    internationalized header fields (that is to say encoded in UTF-8) from
    being posted.
  + Support for Python 3 has been added to INN.  Embedded Python filtering
    and authentication hooks for innd and nnrpd can now use version 3.3.0
    or later of the Python interpreter.  In the 2.x series, version 2.3.0
    or later is still supported.
  + When configuring INN with the --with-python flag, the "PYTHON"
    environment variable, when set, is used to select the interpreter to
    embed.  Otherwise, it is searched in standard paths.
  + In case you change the Python interpreter to embed, make sure that the
    Python scripts you use are written in the expected syntax for that
    version of the Python interpreter.  Notably, buffer objects have been
    replaced with memoryview objects in Python 3, and UTF-8 encoding now
    really matters for string literals (Python 3 uses bytes and Unicode
    objects).
  + INN documentation and samples of Python hooks have been updated to
    provide more examples.
  + When a Python or Perl filter hook rejects an article, innd now
    mentions the reason in response to CHECK and TAKETHIS commands.
    Previously, the reason was given only for the IHAVE command.
  + nnrpd now properly logs the hostname of clients whose connection
    failed owing to an issue during the negotiation of a TLS session or
    high load average.
- renamed and refreshed inn-2.6.2.diff to inn-2.6.3.diff
- fix upstream URL
- (build)require openssl-devel and python-devel and build with
  - -with-python and --with-openssl support
- remove outdated/unknown configure options:
  - -enable-dual-socket, --enable-ipv6 and --with-etc-dir
- use 'Development/Languages/C and C++' as RPM group for the -devel
  package
- require appropriate -devel packages for -devel package installs

- Add -fcommon to allow building against GCC10

- change user to news before calling innupgrade
  [bnc#1182321] [CVE-2021-31998]

- Use -ffat-lto-objects when building static libraries.

- update to inn-2.6.2
  * support for compressed newsfeeds
  * many bug fixes and documentation improvements
  * dropped patch: inn-2.5.4.diff
  * new patch: inn-2.6.2.diff
- use native systemd service [#1116017]
  * new file: inn.service

- change file owners in /usr/lib/news to root
  [bnc#1172573] [CVE-2020-8026]

- change user to news before touching files in /var/log/news
  [bnc#1154302] [CVE-2019-3692]

- Add directories formerly owned by filesystem
- Require group and user news
- Require group uucp

- Fix tmpfiles.d usage to give it at least a chance to work

- fix bashisms
- updated patches:
  + inn-2.5.4.diff

- enable IPv6
- get rid of gpg-offline as we nowadays check signatures in
  the source validator

- update to inn-2.5.4
  * updated control.ctl file
  * improved signature checking in pgpverify
  * new "htmlstatus" config option
  * many bugs fixed
  * removed patches: inn-linereset.diff
  * renamed patches: inn-2.5.2.diff -> inn-2.5.4.diff
- fix innbind file mode
- fix empty history database on 64bit [bnc#876287]

- make /usr/lib/news/bin owned by root

- add libperl_requires, as we link against libperl and thus
  need a specific version of perl

- Verify GPG signature.

- fix ownership of directories so subpackages can be installed with
  rpm 4.10

- fix starttls command injection issue [bnc#776967]
- fix /var/run/news permission and handling.

- Use set_permissions instead of run_permissions.
- Handle /var/run on tmpfs.

- license update: GPL-2.0+ and BSD-4-Clause
  SPDX format and also include *.in files from control/ as BSD-4-Clause

- require perl-MIME-tools

- adapt innbind modes to permissions file

- compile with largefile support

- update to inn-2.5.2
  * implement CAPABILITIES command
  * decent parser for NNTP commands
  * multiple LIST commands allow pattern matching

- fix fd leak [bnc#525827]

- provide Patch0

- fix segfault in perl_call_argv [bnc#405186]

- Add missing Provides to the init script