Is your userlist_deny=NO/YES set. Could this be missing or commented out in your configuration? Also, is your local_enable= variable set?
The security advisory only addresses disclosure of valid users and does not allow password-less logins. I am sure a patched security update will be provided for brute force username disclosure. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to vsftpd in ubuntu. https://bugs.launchpad.net/bugs/672328 Title: vsftpd: discloses whether usernames are valid or not -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs