fsp package


    Debian Linux


    Vanja  Hrustic  posted  following.   The  fsp package introduces a
    possible security flaw.  When the fsp package is installed it adds
    the  ftp  user  without  prompting  the  admin.  This  can  enable
    anonymous FTP if you use the  standard ftp or wu-ftpd as your  FTP
    daemon.  If you  have have installed fsp  and a FTP daemon  and do
    not want to have anonymous  FTP enabled you should remove  the ftp
    account.  Please note  that if you use  proftpd as the FTP  daemon
    this flaw  will not  affect you,  since it  required one to enable
    anonymous FTP manually.


    There are fixed packages available (2.71-10) which *do not* remove
    the FTP user, you will have to do this manually:

    Debian's announcement can be found at:

    Debian GNU/Linux 2.0r5 has fixed this (fsp_2.71-8hamm10.deb).