Version 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. Upstream has now moved the source code and site to https://security.appspot.com/vsftpd.html.
It looks like we may be okay. Using the information from http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html I did the following: wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc gpg --verify vsftpd-2.3.4.tar.gz.asc and got "Good signature from "Chris Evans <chris@scary.beasts.org>". Then sha256sum vsftpd-2.3.4.tar.gz gave b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a which matches the Manifest which has not changed in the last 6 weeks. FYI the compromised tarball has sha256 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5
Craig and I have checked our tarball yesterday as well and got to the same result, so Gentoo is not affected.