oɔɯǝɹ, as was mentioned, it is hard to do much of a security audit based off of some of the vague information provided.
I imagine that you have some understanding and awareness of typical security issues since you are actually here and asking about the security of an FTP related service.
Still, there are certainly aspects of this which are often questionable when it comes to security (old / presumably no longer supported, FTP related). Also, Open Source is great - when it is maintained and I like to think that consequently the 'white hats' can outweigh the 'black hats' heh.
Personally, I would find another solution because even if you skate by without a security issue for now, you are likely going to be looking for a new solution sooner than later. (I'm just presuming this based on my own experience).
A main concern, just to be clear and this may be why you asked the question in the first place, is that software which has not undergone development for so long (I mean, that is coming on a DECADE) has a decent chance of eventually being exploited in some way and there is no one out there to watch for it and fix it, let alone even report it.
To answer your 5 questions, though (and hopefully get a bounty or a point so I can escape the newbie points sandbox :-p):
- Sort of just went over the possible ways it could be a risk. You could look at it from another perspective, though, and see if there is anyone (ideally more than one!) who also stil uses it.
If said group is using it, then you could possibly rely on them being a sort of 'canary in a coal mine.' Though that analogy is clearly not terribly sound in this field heh..
Yes, the age of the library would be a concern. The one thing it has going for it is that it is connected, however distantly, to the Apache Foundation.
Yes, the maintenance state would be a concern for me as well - see the beginning of my answer as to why.
Heh, I hadn't looked ahead on the questions, I swear! :-p ... see response to Question 2
Yes, there are potential security concerns. However, they are all speculative. Another way to possibly get something more concrete is to do some Link research, Domain research, and maybe some research on any others still using it (if there are any) - as well as taking that fact itself (pertaining to any remaining users) into serious consideration.
Good luck and feel free to check back in about it! Good rule of thumb is to try and stay up to date with software! But I suppose, sometimes not TOO up to date that you are just the guinea pig / bug finder ha.
Cheers