As a result of the wu-ftpd update, my /etc/ftpaccess was moved to /etc/ftpaccess.rpmsave.
As a consequence, anonymous ftp access was opened for the world in the
configuration file (IIRC), and several other toggles (like where people can connect, where
PASV/PORT theft is allowed etc.) were "lost".
I think these files, or at least most of them, should be %noreplace.
They aren't noreplace because the /home/ftp -> /var/ftp change needed to get
into every config file. Guess I'd better move that to a %post script, though.
Fixed in 2.6.2-1