[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] new version of fsp fixes security flaw

We have found that the fsp package introduces a possible security flaw.
When the fsp package is installed it adds the ftp user without prompting
the admin. This can enable anonymous FTP if you use the standard ftp or
wu-ftpd as your FTP daemon.

If you have have installed fsp and a FTP daemon and do not want to have
anonymous FTP enabled you should remove the ftp account. This can be done
with the command "userdel ftp".

Please note that if you use proftpd as the FTP daemon this flaw will not
affect you, since it required one to enable anonymous FTP manually.

We have fixed this in fsp 2.71-10. Please note that if you have already
installed fsp upgrading to this version will not remove the FTP user,
you will have to do manually.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.0 alias hamm

  This version of Debian was released only for the Intel and the
  Motorola 680x0 architecture.

  Source archives:
      MD5 checksum: 4cce768adb80e9ea5ff7d96b98369624
      MD5 checksum: 367fe0c589f4bca9b1e76babc1d50edc
      MD5 checksum: b232716fdfbe82960ad7aec53c2712bd

  Intel architecture:
      MD5 checksum: 9385c3e6891892d38b47682fa076f559

  Motorola 680x0 architecture:
      MD5 checksum: d4f4cfac9c303bf61fb23801722709d2

  These files will be moved into
  ftp://ftp.debian.org/debian/dists/hamm/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

Debian GNU/Linux      .    Security Managers     .   security@debian.org
  Christian Hudon     .     Wichert Akkerman     .     Martin Schulze
<chrish@debian.org>   .   <wakkerma@debian.org>  .   <joey@debian.org>

Attachment: pgpJBCoEVvenO.pgp
Description: PGP signature

Reply to: