This was posted on Freshmeat.net two days ago. Haven't seen it on Bugtraq. "The fsp package introduces a possible security flaw. When the fsp package is installed it adds the ftp user without prompting the admin. This can enable anonymous FTP if you use the standard ftp or wu-ftpd as your FTP daemon. If you have have installed fsp and a FTP daemon and do not want to have anonymous FTP enabled you should remove the ftp account. Please note that if you use proftpd as the FTP daemon this flaw will not affect you, since it required one to enable anonymous FTP manually. There are fixed packages available (2.71-10) which *do not* remove the FTP user, you will have to do this manually." ftp://ftp.debian.org/pub/debian/dists/proposed-updates/ Vanja Hrustic Information Systems Manager Siam Relay Ltd. Phone: +662-713-5130 Fax : +662-713-5132 http://www.siamrelay.com - Siam Relay Ltd. - Security & E-Commerce http://safer.siamrelay.com - Security Alert For Enterprise Resources
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:19 PDT