Date: Sat, 28 Nov 1998 16:37:01 -0500
From: Vanja Hrustic <[email protected]>
To: [email protected]Subject: Debian: Security flaw in FSP
This was posted on Freshmeat.net two days ago. Haven't seen it on Bugtraq.
"The fsp package introduces a possible security flaw. When the fsp package
is installed it adds the ftp user without prompting the admin. This can
enable anonymous FTP if you use the standard ftp or wu-ftpd as your FTP
daemon. If you have have installed fsp and a FTP daemon and do not want to
have anonymous FTP enabled you should remove the ftp account. Please note
that if you use proftpd as the FTP daemon this flaw will not affect you,
since it required one to enable anonymous FTP manually.
There are fixed packages available (2.71-10) which *do not* remove the FTP
user, you will have to do this manually."
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/
Vanja Hrustic
Information Systems Manager
Siam Relay Ltd.
Phone: +662-713-5130
Fax : +662-713-5132
http://www.siamrelay.com - Siam Relay Ltd. - Security & E-Commerce
http://safer.siamrelay.com - Security Alert For Enterprise Resources