I did a quick scan of libfetch (fetch(3)) and it seems clean. Thats sort of interesting to me because I've wondered for some time why ftp does not actually use libfetch. Can't say whether ftp not sharing the libfetch code is good or bad, in this case.
I bet a huge number of the population who has used the FTP client has never used it for HTTP because... using an FTP client for HTTP just doesn't make sense.
In OpenBSD the ftp(1) program /is/ the cli http client for the base system. wget is available in ports but not install by default. FreeBSD is probably similar
The wget-like utility present in the FreeBSD base system is fetch(1). It is a cli for the underlying libfetch, which provides HTTP/FTP client functions, and is used behind the scenes in a lot of places in the FreeBSD base, notably by all the package manager and ports systems.
The vulnerable ftp we're talking about here is a completely distinct piece of software, which is generally used only when you want to interactively browse a ftp server. But it doesn't seem to be related much to fetch(1). It has obviously common origins with the OpenBSD one, but I can't comment on how vulnerable the OpenBSD version is.
