You're shipping cftp 0.12, which has been known for more than a year to be remotely exploitable. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago