We have found that the fsp package introduces a possible security flaw.
When the fsp package is installed it adds the ftp user without prompting
the admin. This can enable anonymous FTP if you use the standard ftp or
wu-ftpd as your FTP daemon.
If you have have installed fsp and a FTP daemon and do not want to have
anonymous FTP enabled you should remove the ftp account. This can be done
with the command "userdel ftp".
Please note that if you use proftpd as the FTP daemon this flaw will not
affect you, since it required one to enable anonymous FTP manually.
We have fixed this in fsp 2.71-10. Please note that if you have already
installed fsp upgrading to this version will not remove the FTP user,
you will have to do manually.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.0 alias hamm
-------------------------------
This version of Debian was released only for the Intel and the
Motorola 680x0 architecture.
Source archives:
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71.orig.tar.gz
MD5 checksum: 4cce768adb80e9ea5ff7d96b98369624
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10.diff.gz
MD5 checksum: 367fe0c589f4bca9b1e76babc1d50edc
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10.dsc
MD5 checksum: b232716fdfbe82960ad7aec53c2712bd
Intel architecture:
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10_i386.deb
MD5 checksum: 9385c3e6891892d38b47682fa076f559
Motorola 680x0 architecture:
ftp://ftp.debian.org/pub/debian/dists/proposed-updates/fsp_2.71-8hamm10_m68k.deb
MD5 checksum: d4f4cfac9c303bf61fb23801722709d2
These files will be moved into
ftp://ftp.debian.org/debian/dists/hamm/*/binary-$arch/ soon.
For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
