NOTE: This does not effect either the builds distributed by Atomicorp or Parallels.
Before building any third party applications, we always verify the source code GPG signature for every vendor that signs their code (proftpd is one of them) using keys we know we can trust. Furthermore in many cases we also manually review source code passing through the atomic and asl repos before building - and we always check diffs to know if any changes are worth pushing updates. So even if they had managed to compromise the code, and the keys - the diffs in this case would have been reviewed and we are (as our ASL users know) very very paranoid people.
Finally, all of our binary packages are signed with our GPG key from systems that are not part of the proftp mirror network. This compromise only effected the official proftp source code for a few days, and did not effect either the builds distributed by Atomicorp or Parallels.
If you have manually downloaded the source code between November 28 and December 2 from any official proftpd mirror this advisory effects you.If you are using any atomicorp build you are NOT effected by this.
Official note from the proftp team:ftp.proftpd.org compromised
The ProFTPD Project team is sorry to announce that the Project's main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD 1.3.3c source code, from the November 28 2010 to December 2 2010. All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD.
Further information is available here:http://www.proftpd.org/http://www.net-security.org/secworld.php?id=10243