It is a bit frightening that such a package with lots of CVE fixes apparently is dead upstream (since the patches from 2008 have not been incorporated into a new release). On the other hand, someone must have written the patches; is there no new upstream who has taken over? If not, is the software still useful and unique enough to keep it around?
Apart from these more fundamental questions, it looks good to push. Andreas
