We have found that the fsp package introduces a possible security flaw. When the fsp package is installed it adds the ftp user without prompting the admin. This can enable anonymous FTP if you use the standard ftp or wu-ftpd as your FTP daemon. If you have have installed fsp and a FTP daemon and do not want to have anonymous FTP enabled you should remove the ftp account. This can be done with the command "userdel ftp". Please note that if you use proftpd as the FTP daemon this flaw will not affect you, since it required one to enable anonymous FTP manually. We have fixed this in fsp 2.71-10. Please note that if you have already installed fsp upgrading to this version will not remove the FTP user, you will have to do manually. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.0 alias hamm ------------------------------- This version of Debian was released only for the Intel and the Motorola 680x0 architecture. Source archives: ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71.orig.tar.gz MD5 checksum: 4cce768adb80e9ea5ff7d96b98369624 ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10.diff.gz MD5 checksum: 367fe0c589f4bca9b1e76babc1d50edc ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10.dsc MD5 checksum: b232716fdfbe82960ad7aec53c2712bd Intel architecture: ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10_i386.deb MD5 checksum: 9385c3e6891892d38b47682fa076f559 Motorola 680x0 architecture: ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10_m68k.deb MD5 checksum: d4f4cfac9c303bf61fb23801722709d2 These files will be moved into ftp://ftp.debian.org/debian/dists/hamm/*/binary-$arch/ soon. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
Security flaw in Debian’s fsp package.
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis