Ok, ignore the wording of the advisory. The bug is as I described. If userlist_enable=YES then vsftpd does not ask for a password if an invalid username is entered (and therefore it is disclosed that the username is not valid). I will check the value of local_enabled, when I return to my computer next week.
Regards, Mark. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to vsftpd in ubuntu. https://bugs.launchpad.net/bugs/672328 Title: vsftpd: discloses whether usernames are valid or not -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs