Package: vsftpd Version: 3.0.3-13+b2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hello. Feel free to downgrade the severity if I am misunderstanding the situation. A fresh install of vsftpd accepts connection of local users by default, that is /etc/vsftpd.conf contains local_enable=YES /usr/share/doc/vsftpd/README.Debian says that * this line should be commented * uncommenting it is a bad idea because the password would be transmitted without encryption so this is most probably unwanted. The documentation is also wrong for anonymous access (should be enabled by default, actually disabled in the configuration file), but this is a minor issue.
