It looks like all but one of the .patch files should be applied.
/BackupPC-3.2.1-fix-XSS-vulnerability2.patch is already applied but the
other XSS patch is not.
Both fixes shave been applied in both the 3.3.0 and 4.0.0 releases. I fixed the second one in a slightly different manner than the submitted patch. If you look down a couple of lines, there is a check that $num is numeric. The XSS vulnerability comes from $num not being escaped in the error message.
So I put the EscHTML() fix in the Invalid_number__num language strings.
The qw patch fixes a Perl warning.
These should also be fixed in both 3.3.0 and 4.0.0. Is there another case that I missed?