It looks like all but one of the .patch files should be applied.
/BackupPC-3.2.1-fix-XSS-vulnerability2.patch is already applied but the
other XSS patch is not.

Both fixes shave been applied in both the 3.3.0 and 4.0.0 releases.  I fixed the second one in a slightly different manner than the submitted patch.  If you look down a couple of lines, there is a check that $num is numeric.  The XSS vulnerability comes from $num not being escaped in the error message.

So I put the EscHTML() fix in the Invalid_number__num language strings.

The qw patch fixes a Perl warning.

These should also be fixed in both 3.3.0 and 4.0.0.  Is there another case that I missed?