CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247): ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
net-ftp/tnftp is only the ftp client, we don't have tnftpd in the tree.
oh, sorry I missed that.