Hi, If you look in /etc/cron.* (hourly, monthly, etc)., there are some files owned by user news. I could be wrong, but doesn't this make user news equivalent to user root? These cron files should be owner by user root, group root. Note that there have been plenty of user news compromises in the past!
Additionally, on an upgrade the news.crit, news.err, news.notice retain root ownership settings and inn(news) cannot access them. 6.2 -->7.0
Should all be resolved with next rpm in rawhide. Thanks a lot for this report.
Isn't that issue a candidate for a security errata update?