As a result of the wu-ftpd update, my /etc/ftpaccess was moved to /etc/ftpaccess.rpmsave. As a consequence, anonymous ftp access was opened for the world in the configuration file (IIRC), and several other toggles (like where people can connect, where PASV/PORT theft is allowed etc.) were "lost". I think these files, or at least most of them, should be %noreplace.
They aren't noreplace because the /home/ftp -> /var/ftp change needed to get into every config file. Guess I'd better move that to a %post script, though.
Fixed in 2.6.2-1