tnftp is a NetBSD FTP client with several advanced features.
The fetch_url function in usr.bin/ftp/fetch.c allows remote attackers to execute arbitrary commands via a
A remote attacker could possibly execute arbitrary code with the privileges of the process.
There is no known workaround at this time.
All tnftp users should upgrade to the latest version:
# emerge --sync
# emerge --ask --verbose --oneshot ">=net-ftp/tnftp-20141104"