[ANNOUNCE] INN 2.2.3 available

[patrick () PINE NL (patrick () PINE NL)]

The Internet Software Consortium is pleased to announce that a new bug-fix
release of INN is available at:

    ftp://ftp.isc.org/isc/inn/inn-2.2.3.tar.gz

The MD5 checksum of this release is:

    0c0f71d79cc2b4fbd5bad4a7f093f53f

A PGP signature will soon be available in the same directory.  There is a
patch from 2.2.2 to 2.2.3 available there as well.

This is primarily a security and bug-fix release over 2.2.2.  Among other
things, this fixes the widely-reported security hole in verifycancels.
Anyone running INN 2.0 or later is strongly encouraged to upgrade to this
release (INN 1.7 and earlier is not vulnerable to that hole).  Upgrading
an existing INN 2.2.x installation is as simple as building INN 2.2.3 and
running make update.

Changes from 2.2.2 are:

  * INN no longer installs inews setgid news or rnews setuid root by
    default.  If you need the old behavior, --enable-uucp-rnews and/or
    --enable-setgid-inews must be given to configure.  See INSTALL
    for more information.

  * A security hole when verifycancels is turned on in inn.conf (not
    the default) was fixed.

  * Message IDs are now limited to 250 octets to prevent
    interoperability problems with other servers.

  * Various other security paranoia fixes have been made.

  * Embedded Perl filters fixed to work with Perl 5.6.0.

  * Lots of bug fixes.

This will be the final release of the INN 2.2.x series, barring major
security holes.  INN 2.3.0 will be released shortly, and features a
significantly different internal architecture.  Development has already
begun on the INN 2.4.x series.

Please submit all bug reports to inn-bugs () isc org.  Please send all
patches to inn-patches () isc org.

                                        Russ Allbery
                                        Katsuhiro Kondou
                                        inn () isc org