[原文]postinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended.
ProFTPD on Debian Linux postinst Installation Privilege Escalation
Remote / Network Access
Loss of Confidentiality
Debian ProFTPDd package installation scripts contain a flaw that leaves the service running as 'uid/root'. The issue is triggered when installation of the package occurs. It is possible that the flaw may allow unintended file system privileges, resulting in a loss of confidentiality.
Upgrade to version proftpd 1.2.0pre10-2.0potato1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.